A relatively new ransomware gang named Dark Power is in the wild – hacking various organisations globally for an affordable ransom demand.

The gang has already listed over 10 victims in its first month’s operation, while actively looking at others. Researchers note Dark Power is slightly typical by using a least-known programming language and spreading two variants to hit the victims accordingly.

A New Ransomware Gang in the Wild

Researchers at Trellix have discovered a new ransomware gang named Dark Power – which is actively hitting organisations in several countries lately. Starting on January 29, 2023, the Dark Power gang has over 10 victims listed on its dark net website already – waiting to leak their data!

The Dark Power ransomware is touted to be slightly different by using Nim, a cross-platform programming language with several speed-related advantages – making it apt for ransomware operations.

And since Nim is a relatively new language, most of the security solutions fail to detect it. While the researchers didn’t mention how the Dark Power attacks, they said the ransomware group creates a randomized 64-character long ASCII string for starting the encryption process, with a unique key on each execution.

Further, it proceeds to terminate specific services and processes on the victim’s system to free up files for encryption, while also deleting the shadow copies of data to make recovery hard later on. This gets even much harder with the ransomware gang wiping out the console and Windows system logs in the process!

Encrypted files are renamed with the “.dark_power” extension, with certain file types like DLLs, LIBs, INIs, CDMs, LNKs, BINs, MSIs etc excluded from encryption to keep the infected system operational – and allow the victim to view the ransom note and contact them.

Aside from using the Nim language, the Dark Power gang stands out with a typical ransom note of an 8-page long PDF – that contains details on how the victim was hacked, and instructions on how they should contact them over qTox messenger. The gang gives victims 72 hours to respond and obey their $10,000 ransom in the XMR (Monero) form.

Setting the ransom amount to a much more affordable sum is yet another tactic to convince the organisation to pay it – without minding much. Trellix notes the victims of the Dark Power gang from all over the world, pushed through the double-extortion method as others in this field.


Please enter your comment!
Please enter your name here