Threat Research

Ransomware Roundup – Dark Power and PayMe100USD Ransomware | FortiGuard Labs

Securonix

Fortinet FortiGuard Labs’ bi-weekly Ransomware Roundup highlights Dark Power and PayME100USD, outlining their file-encrypting behavior on Windows and the actor’s apparent data-leak threats, with Fortinet-provided protections and best practices. The report notes ransom demands, Tor-based leak activity, and attacker tradecraft such as fake Bing installers for PayMe100USD. #DarkPower #PayMe100USD #Fortinet #FortiGuard #Tor #Monero #Bitcoin #qTox

Keypoints

  • Dark Power ransomware is described as a relatively new Windows-targeting variant with a ransom note and data-encrypting behavior.
  • The article provides explicit encryption behavior, including appending a specific extension to encrypted files.
  • Dark Power stops specific services and terminates processes to encrypt in-use files on the system.
  • It also discusses Shadow Copy (VSS) disruption to reduce recoverability from backups.
  • PayMe100USD is a Python-based ransomware variant discovered in March 2023, likely distributed via fake Bing installers.
  • PayMe100USD encrypts certain drives and excludes a list of file extensions, while dropping multiple ransom notes demanding Bitcoin.

MITRE Techniques

  • [T1490] Inhibit System Recovery – It stops the Volume Shadow Copy (VSS) service before encrypting files. ‘…files not written to a Volume Shadow Copy before the ransomware encrypted them are not recoverable from a backup created through the VSS.’
  • [T1489] Service Stop – Terminate the following processes to encrypt files that are presently in use: taskmgr.exe, encsvc.exe, powerpnt.exe, ocssd.exe, steam.exe, isqlplussvc.exe, outlook.exe, sql.exe, ocomm.exe, agntsvc.exe, mspub.exe, onenote.exe, winword.exe, thebat.exe, excel.exe, mydesktopqos.exe, ocautoupds.exe, thunderbird.exe, synctime.exe, infopath.exe, mydesktopservice.exe, firefox.exe, oracle.exe, sqbcoreservice.exe, dbeng50.exe, tbirdconfig.exe, msaccess.exe, visio.exe, dbsnmp.exe
  • [T1486] Data Encrypted for Impact – The ransomware then encrypts files and appends a “.dark_power” extension to the affected files. ‘…encrypts files and appends a “.dark_power” extension to the affected files.’
  • [T1059.006] Python – PayMe100USD ransomware is written in Python. ‘PayMe100USD is a new ransomware written in Python that was discovered in March 2023.’

Indicators of Compromise

  • [SHA256] File-based IOCs – 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389, 11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394, and 2 more hashes
  • [SHA256] File-based IOCs – c2aa5d89d1fb63c65806a789f529daf774ceff411338c43438ea6c0175e10fd0, 4daca38854ba0a471d25250f106122ff81b8bbda2b19569a9e0b6e7f56187746, and 2 more hashes
  • [File Name] Ransom notes – readme.pdf, PayMe 1.txt, and 6 more notes
  • [AV Signature] W64/Filecoder.HE!tr.ransom, W64/Kryptik.CWP!tr
  • [AV Signature] W32/Filecoder_L0v3sh3.A!tr.ransom

Read more: https://www.fortinet.com/blog/threat-research/dark-power-and-payme100usd-ransomware

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint