The article analyzes the Dark Power ransomware gang, detailing its Nim-based ransomware, encryption techniques (AES-CTR), and anti-forensic tactics such as service and process termination, log clearing, and extensive file/folder exclusions. It also covers the gang’s ransom note approach, use of Tor and qTox for anonymity, global victim claims, and a double-extortion model.
#DarkPower #Nim #Monero #XMR #Tor #qTox #Algeria #CzechRepublic #Egypt #France #Israel #Peru #Turkey #USA
#DarkPower #Nim #Monero #XMR #Tor #qTox #Algeria #CzechRepublic #Egypt #France #Israel #Peru #Turkey #USA
Keypoints
- Dark Power is a Nim-based ransomware that uses AES-CTR with a per-target randomized key, making generic decryption tools difficult.
- Ransomware strings are encrypted and stored in base64 inside the binary to hinder generic detection; a fixed key is used for decryption with varying IVs.
- The malware targets and stops specific services (e.g., veeam, memtas, sql, vss, sophos) and the Volume Shadow Copy Service to prevent recovery.
- It enumerates and terminates a wide set of processes (including Office apps, browsers, and database-related processes) to ensure encryption proceeds without locked files.
- File and folder exclusions are extensive, ensuring crucial system components remain operational while encryption proceeds.
- Ransom notes are PDFs sent to each folder and a Tor-based threat page with a Monero payment address; the attackers also leverage anonymity tools like Tor and qTox.
- Two encryption variants exist, with different key/nonce handling; files are renamed with a .dark_power extension after encryption; data exfiltration is claimed but actual upload behavior is unclear.
MITRE Techniques
- [T1059] Command and Scripting Interpreter – The ransomware uses Windows command shell to clear the console: [“C:Windowssystem32cmd.exe /c cls”]
- [T1027] Obfuscated/Deobfuscated Files or Information – The strings within the ransomware are encrypted, which is likely done to make it harder for defenders to create a generic detection rule.
- [T1140] Deobfuscate/Decode Files or Information – The disassembled instructions show a string decrypt operation, e.g., decrypt_AES_CTR leading to the output “.darkpower”.
- [T1047] Windows Management Instrumentation – The ransomware queries WMI to enumerate processes: [“winmgmts: {impersonationLevel=impersonate}!.rootcimv2” … “select * from win32_process”]
- [T1490] Inhibit System Recovery – The Volume Shadow Copy Service (VSS) is stopped to hinder recovery.
- [T1489] Service Stop – The ransomware stops multiple services, including veeam, memtas, sql, mssql, backup, vss, sophos, svc$, and mepocs.
- [T1486] Data Encrypted for Impact – The encryption of the files that aren’t filtered out is performed using AES (CRT mode).
- [T1070.001] Indicator Removal: Clear Windows Event Logs – It uses ClearEventLog() to erase event logs after execution.
Indicators of Compromise
- [File name] ef.exe – Sample binary name observed in the sample
- [MD5] df134a54ae5dca7963e49d97dd104660 – Sample MD5 hash of the sample
- [SHA-1] 9bddcce91756469051f2385ef36ba8171d99686d – Sample SHA-1 hash
- [SHA-256] 11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394 – Sample SHA-256 hash
- [SHA-256] 33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389 – Sample SHA-256 hash
- [Monero Address] Ransom payment address – 85D16UodGevaWw6o9UuUu8j5uosk9fHmRZSUoDp6hTd2ceT9nvZ5hPedmoHYxedHzy6QW4KnxpNC7MwYFYYRCdt[redacted]
- [Tor Hidden Service] Tor website – power[redacted].onion
Read more: https://www.trellix.com/en-us/about/newsroom/stories/research/shining-light-on-dark-power.html