A new ransomware operation called Dark Power has surfaced, targeting organisations around the world and demanding relatively small ransom payments of $10,000. According to a recent report from cybersecurity firm Trellix, the ransomware uses the Nim programming language, making it a niche choice that is unlikely to be detected by defence tools.
Dark Power has already listed its first victims on a dark web data leak site (powerj7kmpzkdhjg4szvcxxgktgk36ezpjxvtosylrpey7svpmrjyuyd.onion, currently offline), and the group is threatening to publish the stolen data if a ransom is not paid within 72 hours.
The ransom note, which is an 8-page PDF document, stands out from other ransomware operations, providing information about what has happened and how to contact the attackers via the qTox messenger.
The group has already targeted ten victims from different countries and claims to have stolen data from their networks, making it another double extortion group.
Indicator of compromise
|T1059 Command and Scripting Interpreter
|T1027 Obfuscated Files or Information
|T1082 System Information Discovery
|T1486 Data Encrypted for Impact
|T1047 Windows Management Instrumentation
|T1140 Deobfuscate/Decode Files or Information
|T1057 Process Discovery
|T1490 Inhibit System Recovery
|T1070.001 Indicator Removal: Clear Windows Event Logs
|T1489 Service Stop