Table of Contents
Introduction
Dark Power is a new ransomware, first seen in January. We encountered it during one of our incident response activities. Encrypted files are appended with the ".dark_power" file extension and a ransom note named "readme.pdf" is created in each directory where files are encrypted.
The first mentioning of Dark Power was in a threat report by the National Cyber and Information Security Agency (NÚKIB), saying:
In January, NÚKIB registered two ransomware attacks. The PLAY ransomware and now the Dark Power ransomware have been detected again. Both of the attacks targeted non-regulated entities. Although PLAY is a new ransomware, it has attacked a number of significant victims across the whole world. According to researchers, PLAY is operated by the same actors as Hive and Nokoyawa. Dark_power is also a new ransomware, however, has not been as active PLAY so far...
Dark Power ransomware group breached up to 10 different organizations in February 2023. More was said about it including The sample we encountered was compiled on February 10, 2023:
It encrypts files on systems and appends the ".dark_power" extension to encrypted files. A ransom note named "readme.pdf" is created in all folders in which files were encrypted. The ransomware note is opened by the ransomware before termination.
In this infection, the ransomware was deployed by an active attacker as the last stage of the attack. The breach happened quite sometime before the ransomware was executed.
A Few Words About Nim
Developed and created by Andreas Rumpf, Nim is a programming language mainly designed for high performance. It was originally named nimrod and renamed to Nim in 2008. Nim is a relatively new language utilized by threat actors over the past five years.
New programming languages may be used by malware authors to evade detection. Nim syntax is relatively straightforward syntax. It also has cross-platform support and can be compiled into Windows/Linux executables just like C and C++.
As the malware source code is written in Nim thus libraries need to be imported. In this case, Nimble is the Nim package manager (like Python's pip) and can be used to install libraries. Dark Power uses two important libraries, one of them is Nimcrypto. It contains implementations for various encryption algorithms, such as AES, Blowfish, hashing and random number generation. Winim contains important Windows API definitions, structs and Nim implementations (for Windows-based malware).
Dark Power Ransomware Operations
The Dark Power group is nothing more than another double-extortion ransomware group. The ransomware itself encrypts files and data is exfiltrated during an active attack. The thing that differentiates Dark Power from other ransomware is it being written in Nim, making the ransomware very fast, powerful and efficient. When infecting endpoints, Dark Power simply storms the compromised system's filesystem. Processes, services and logical disk drives are enumerated in order to gather "targets" for termination and file encryption.
As most ransomware groups do, Dark Power also follows the methodology of the ransomware playbook, which was leaked as part of the Contileaks leaks. More information can be found here and here. The playbook presents a simple cyber kill-chain and its audience were the Conti group affiliates; Reconnaissance, initial access, discovery, privilege escalation, lateral movement, domain takeover and data exfiltration (Mega cloud storage account creation and Rclone usage). It also explains how to execute known techniques (Kerberoasting, PrintNightmare, ZeroLogon, etc.), malicious scripts and tools (Cobaltstrike, Mimikatz, PowerShell, etc.).
The ransomware binary is not packed, though highly obfuscated in terms of control-flow. Hardcoded encrypted strings are used to build blacklists and exclusion lists for encryption (see later in this blog post). The string decryption key is hardcoded and an IV table is also hardcoded (and easily detectable with a bit of digging). The file decryption IV is also hardcoded along with other constants (one IV for all files).
A new encryption key is generated in each ransomware execution and the key generator function is seeded with a random number (generated by the OS with high randomness). Additionally, the ransomware clears all encryption contexts and keys from memory after each string decryption and each file encryption (different AES-256-CTR keys are used for string decryption and file encryption).
Dark Power imports code from the following Nim libraries:
Library/Code | Intended Functionality |
rijndael.nim (Nimcrypto) | AES-256-CTR for file encryption and strings/config decryption. |
random.nim (BCryptGenRandom + xoroshiro128+) | Cryptographically secure pseudorandom number generator (on Windows it depends on BCryptGenRandom). |
Winim (Nim's Windows API and COM library) |
|
Self-delete ransomware executable at the end of execution. |
Another variant/version of dark Power was said to be actively being used in attacks. One of the variants key initialization routine was described as:
... the resulted sha256 digest of the randomized key is split into two halves. The first half is used as the AES key, while the second half is used as the IV (nonce).
The sample we analyzed matches the below encryption scheme:
... the resulted sha256 digest of the randomized key is used as the AES encryption key, and a fixed 128-bit value, "73 4B D9 D6 BA D5 12 A0 72 7F D6 4C 1E F4 96 87" is used as the encryption nonce.
Technical Analysis
This section is organized in the following manner:
Dynamic Imports Resolving
Dynamic imports resolving, or IAT resolving, is a process where malware (and legitimate software in some instances) retrieves handles and memory addresses of Win32 API DLLs and functions.
Malware that resolves imports dynamically will usually have an empty imports table, or a fake one (containing ransom or misleading DLL and function names). Necessary Win32 API function addresses are dynamically resolved in order to enable the ransomware to execute its main actions. The functions include:
Sleep
FindFirstFileW
FormatMessageW
LocalFree
GetLastError
FindClose
FindNextFileW
MoveFileExW
BCryptGenRandom
IsEqualGUID
This technique is seen almost in all common malware nowadays and it combines call to getModuleHandle/LoadLibrary to retrieve handles to DLLs and then GetProcAddress to get the actual start address of the function:
Once the import address table (IAT) is constructed Dark Power will proceed to its main module.
(Nim)Main Module
Once all preparations are completed, execution jumps to the ransomware main module - NimMainModule.
After the hardcoded seed was saved to the buffer that will store the final number, buffers for global variables are allocated and the random number generator function is called ("init_rand_num_for_keygen" - modified name):
The initialization random number is supplied to the file encryption key generator function ("dp_generate_encryption_key" - modified name). Dark Power's file encryption will be described later in the blog post.
Dark Power Strings Decryption
Dark power obfuscates its control flow using a large set of encrypted strings, which are also its configuration. The strings are hardcoded and each one is decrypted exactly at the time it is needed in runtime. Every string is dynamically generated (also known as "stack strings") to prevent static scanners from finding the encrypted strings. Stack strings are strings constructed by pushing each character separately to the stack frame, rather than strings stored in one piece (usually in the .data/.rdata PE sections). Stack strings are harder to detect by static detectors and cannot be extracted using tools like Sysinternals Strings.
Decryption Function & Hardcoded Key
The string decryption key is called hundreds of times during execution, as Dark Power's execution is instrumented by its encrypted strings.
A hardcoded decryption key is used on all encrypted strings. The key itself is Base64 encoded. When execution reaches the string decryption function, the key is decoded and then SHA256-hashed.
The hash is digested in order to expand the key to 32 bytes (256 bits). After the key is prepared it proceeds to key initialization and then calls the AES crypt function:
String Decryption
Every time the string decryption function is called the key is decoded and initialized using a hardcoded IV. Each string will be assigned with a predefined IV.
The IVs raw offset in the ransomware binary starts at 0x00043900:
Full list of IVs:
IV1 = AC9AE2A23B3379503A1B9E591909D03C
IV2 = E8AA87A3C3BFE81A71EB143F318D2EDC
IV3 = 3660F6C285BA1EB659E32075604200A0
IV4 = 7B7E86250D3FD9083FD94CCA9FF4C6E1
IV5 = CA95DF2B25E12D1F09A1C668C55B02BA
IV6 = 8C652B83DDC1861C00B1083AC18ABCA0
IV7 = 95472DB304510D2F1EEC6F8802945ED0
IV8 = 6E50EB1A37FE0FE1168A40D18CD21918
IV9 = D03836CEF1AFA3F45F5AD55836BF59BA
IV10 = C4652A1A6887F45D51FFBBD6485EF7D7
IV11 = A8B1090ECF6741698BCC2F12341FC8A3
IV12 = 3555E5A11731DD32531B664B8B8A1338
IV13 = 76F5CD05CA5E955E7AF9E8CA9790B53E
IV14 = 4DFBA9AC9CCC35107E755F026D00137C
IV15 = 5F6D96618D7775BABF0B6532C83BD093
IV16 = 35FD999FA4780D59596259C4DC7D053E
IV17 = 5FA19CD6C82E1BF0A2D34E59A1BA9831
IV18 = A63A4C00DF60373FF02FC4C48C5C5198
IV19 = 1A870340051C8A24CDE710E87B61EA96
IV20 = 93CF978DA557803BC975924D685E30E5
IV21 = 835A7A53DACD2C83EE47DC099599011E
IV22 = 8EF54E3558FD64666D0F023111D1C600
IV23 = C927716F61163278CDBC272DD60A925E
IV24 = 9969049BDF502A7193EB226655C80099
IV25 = BFC93EB35F2DDE777608D73DC9907BDC
IV26 = 092622ACB8E1F42114E044ECE1C6A726
IV27 = A35990216B3BE768D733F8C284E83874
IV28 = BEA5E7B246A9A4F269EDEFC2BC9CC8FF
IV29 = 313D416F08CD72A12E8CE30972F1D867
IV30 = 77C516627C20421CDA02BC6A54079C04
IV31 = 8858F1E9077EAFA68091148D5606240C
IV32 = A75AFF0E41556AD3BB37100D09C2CE34
IV33 = FFD27C0200E412A79316364BAB9D5FC6
IV34 = 716392B7FB5A63A2D8E944635997EBFD
IV35 = A618688A0CD54E02F5916867DBFF95DC
IV36 = DC60DF88581170E2E0000EE3C381A39B
IV37 = 40E4066604A4625F35D28EA439EDAA81
IV38 = 2737B140503C4B02CC121A0D1F826ECC
IV39 = 55393954B02038863D02900264FE3F71
IV40 = 413F9FF8BC5A70AA37B456125ABBECEC
IV41 = 63F08194974AEC1572E8B9B1B4CF9E16
IV42 = 862E1F4D75172D1B376D18E916968C2D
IV43 = 959AB8CEE324D1711A846FE81FE984C6
IV44 = 7D01DFF13973BE815536C621E3CBC161
IV45 = 9DC06362DE8AA4510F101244FB6FED39
IV46 = 83A9F78F04E54EFE1E8CE4578CB82F2D
IV47 = 6B68DCFB808498ACD2D06EECB20F95BE
IV48 = 143C84A8454BE150A0CECE954B8EBE96
IV49 = 4F2AEAF4A915C0FC4A1892B1C1E57378
IV50 = C2855496F769C374ECF0AF9882B8A488
IV51 = 3B28A0462AD47B80AA23ADF9FD027D16
IV52 = C23102C9E8E07D9F3AD7295F3089EAB5
IV53 = FF2ACFA60E21392DFC2510E9B9C3E162
IV54 = 34515E24506F67D1FA46C5A503B3E88D
IV55 = 58298D7F1238E9F1015A4EB208E123E0
IV56 = 7C38F85BD3AE95A1651815A33F3E0641
IV57 = 9B07F933768A176BB3E33922B8CC305E
IV58 = E6A4B321E23CBDF89866F68020FD9638
IV59 = 97B46B54FCA200C34D55FCC2BFDFE192
IV60 = 45AAF9733DD693B14AD0901BBED17E75
IV61 = 5143374F06B8DD959635CBB891C2F061
IV62 = B144703428591979195D5D9751F5CE10
IV63 = 9ED0D08D4397489843C985F9FFB0C1CE
IV64 = 42FA1B02D178CCD82031151CBF99F2B8
IV65 = D0ED5DC05D6F7CEE6CDE6AD77D49E07B
IV66 = 0CC81B337375F1B5F5A3D3FE6C9E13E3
IV67 = 74C37A9B1E956DA687202B7AF89A93B6
IV68 = D49E72A8D603FF97847F3EA88B532B7A
IV69 = CCD60FDEAACD05331AC6044EB6EAEE1E
IV70 = 994B886BA07887020E23013649799D42
IV71 = 30D61A35D8D8FA6B6E2747F1A6A859E4
IV72 = B4D842D307E8D61EB772F5BD77238E11
IV73 = 22312E8BFB0FFDE4F9FFD099E9DBF259
IV74 = A6FD51278EEBE1979914E956FEAAB515
IV75 = AA686C163E032286A26E20BDD395406E
IV76 = C1D2368D33846CC2CAFA05CDF645CEDF
IV77 = BAB0D20F68EE56BCBF8696E11031F025
IV78 = 0EB0B16BA850B875F43CF078B5FC7779
IV79 = 1440BC247ABA8C1F68CE8EE89B558D59
IV80 = E1524BE36CC5DB7E9CDFF5D74C06B3C3
IV81 = EE08F4FBEF10D50798BB08AB42B8DF44
IV82 = 9B01218E4BB5E40C0331B6A3C25EFA6A
IV83 = 3E64EF29DDAA4BD01ABFE38A39AEB39F
IV84 = EE4A1E63285548216BB7850C33D08219
IV85 = 36EBD256BE33CB412C03FA3E2152CCA1
IV86 = 4C0D3754DFD358F74333641B9CE69B47
IV87 = 10C83C323CDC003CDC4EE8E0174E4AB0
IV88 = 1B4D56E47F7B305B2B37EC317E7C210C
IV89 = 3EA3316098C1A022A5EFBFA2B28455EB
IV90 = 208102F250476ED5C31E1AEDADDE0EC9
IV91 = 36168F797BDD230324E7BA2E8BADE5FB
IV92 = C055EB72A4EDFC97DB1DE29692BAE38B
IV93 = 5F205D2D3F9505AE4DF83DEA22B01CF5
IV94 = BABF3D4928C15C03711ED3C9A7B7B52B
IV95 = 9B5BAE496CBB6FF2C7DD730ACE6B40F7
IV96 = 3BA4118C7AF231823E4A372BC2DCAFF7
IV97 = 00A84A0E4BB0F07697AB73297CE0F583
IV98 = A06D5706ECD41DFCAF006940333BF733
IV99 = B7C579C7A2C4EC550F5341944940E758
IV100 = 3020CA145E63041B7FBDCF3C5D3BA48F
IV101 = 1959E4118181BC23B7A29C9C847D66F5
IV102 = 0D8AE8FEEF8ACF0AFF217FC8FAAFA4B4
IV103 = 1617E7AA87080BFCCA6BCC1067FF7AB6
IV104 = 8F48C59ED69AB58BDDA8994A650D7E8E
IV105 = 10027F703EA7760257C9F3DD2E389E08
IV106 = 5B7E8F8818A29493726BED2D3F9FDA5C
IV107 = 32937ED0E7DD5FDAB1F6FAC8BC03F567
IV108 = FB93AB5406157DA88C6464C97F901C93
IV109 = 0905BADCDD908D91D3D801404D1ABD34
IV110 = 09A3A64510BC553A92324909D25F51A4
IV111 = E9ED0C6ED2C82857632DE8F953791C2B
IV112 = 41B3F4EB687C4B3FC93A23CCA3016D74
IV113 = 40B53D6F6854BB911D92490F5E3EBFDF
IV114 = 76D29A1A54DB4CDE5ED64762493D3E74
IV115 = 592805EC0E40899D601C26BD4374DFA9
IV116 = B4AF675A9EA6B5047537C88640BDCE8D
IV117 = 3BA217CED30054511545E402229492AA
IV118 = 3862E1736A92DCD9AB0DA8239722015B
IV119 = 91F5765D213FC2080494BAEE59ACCD3F
IV120 = 114C4E599B76009C36FE909D37221E7A
IV121 = 3C8248F651567A08D0A29515B00A46B1
IV122 = A6725DE0EB7F1D508BFCBE779BDE798C
IV123 = 50BEE0372B411577C1D39D22BA00FBA6
IV124 = 8801DB0C602BEB0A4B237EF6C5130E83
IV125 = 1797B9584A9AAC8D32C54C78D165B9A2
IV126 = 8A28692C7E388909BF692940BB170FC6
IV127 = 9C62B665D042A5A05D97865411864CEA
IV128 = 962DC28BD5EDBABAF5AE5EC0DAC5C8DE
IV129 = BDA9FDF4F518BE91FC7DC33E6379FE00
IV130 = FBE2FD63AC9EA4FE855334B32E837553
IV131 = 51F8381B92495532B987EE091BA3EBC2
IV132 = 547B54DD29D49791BF7C8C8B2587BCF5
IV133 = 1FB85C2D65B1DA403997D340C0CDB402
IV134 = D69DD1415BC3FFA6C47224075677BF66
IV135 = 80914B373C39E6E03FDE382760AEE980
IV136 = 9C5FD1A9DB42CF1F39E1AD3D8497E20F
IV137 = B7BAA47117628F6AB173A04B172AA86F
IV138 = BF8087D36042CCF06EB2B9DE03A2C66B
IV139 = B4E5E36ECC70AC6F3BAEFACA50BA6F7A
IV140 = C279C2BB0FE5D9CEA418D7C432A301D3
IV141 = F1FE1DC4EB615E4AF9B686359E55265C
IV142 = 2AF5282C28219A7060792FACD2A903DF
IV143 = A878A3D035E365A5936586D28FD12EDF
IV144 = 78F11E4D6DD7F06D6F5859C5BF3B8F3F
IV145 = 3DB37347DE601E9974661EEE7366EE35
IV146 = E076FBDBE22C991D215B2F80A76D7783
IV147 = 9A373ABBEC10BAD6163B7A3042FE1F7C
IV148 = CF63C3254AF1FC65CB4FBDCE04494245
IV149 = 2D12B79D3D782C2968968C583DEBF10C
IV150 = 4DFB5169B7376F307FD8B0C0CA8A3F93
IV151 = 83C904E55FF31DDBB01FAD6710AF8C20
IV152 = E253FCA5687955F28DDB60DB0B9135CC
IV153 = E1FE94C06D5988491B7E2E839252A3AA
IV154 = D8B4122CA89CAB3257480DAE0FE715E9
IV155 = 5273466A419913A3FD31312AEA67BB9B
IV156 = D48DE6D8BFDBA2012E3945058FFF8B66
IV157 = D87CA52BA04F021586145B8AA3DBF7DCThe key SHA256 and IV are supplied to the AES initialization function. The 32 bytes key is provided to the algorithm during the first stage and later expanded to multiple keys used in each round (14 rounds in AES-256).
For example, below is a dynamically-generated Base64 string (stack string). The string is decoded and then AES-decrypted. In this case:
Testing the decryption key and the IV on the string results in successful decryption:
As mentioned, the string decryption function is called hundreds of times, especially in the ransomware's main runtime function:
Automated Strings Decryption
We wrote a small script that automates the string decryption. All IVs were extracted and put into Python lists for that. Check it on our GitHub.
Strings decryption function:
Dark Power File Encryption
Dark Power uses a symmetric-only encryption scheme and encrypts files with AES-256-CTR. Most of the crypto functionality is based on Nimcrypto's Rijndael (pronounced "Rain-Dahl") encryption algorithm implementation.
Rijndael is the original name of AES (Advanced Encryption Standard) comprised from a group of ciphers with different block and key sizes. NIST (the National Institute of Standards and Technology) chose three variants of Rijndael block cipher for AES where each of them has a block size of 128 bits (16 bytes) and three different key sizes: 128, 192 (24 bytes) and 256 bits (32 bytes).
The ransomware generates one pseudo-random number in each execution, used to generate the AES-256-CTR encryption key.
Pseudo-Random Number Generator (PRNG)
To provide an initial seed for the key generation function, the ransomware uses a PRNG (Pseudo-Random Number Generator) via BCryptGenRandom. The function is called from NimMainModule function (Names of some functions and variables were changed during the analysis)
The used PRNG is Nim's default - xoroshiro128+. It can be provided with an initial seed that is randomized by the OS (on Windows - BCryptGenRandom). The source code can be found here (random.nim).
Inside the function wrapper_BCryptGenRandom (modified name), BCryptGenRandom is called with the hAlgorithm parameter set to NULL (0x0) and dwFlags set to 0x2 (BCRYPT_USE_SYSTEM_PREFERRED_RNG), meaning the system-preferred PRNG (pseudo-random number generator) will be used:
The call refers to the pointer of the function inside bcrypt.dll. The Base address of the DLL was already stored during dynamic imports resolution at the setup phase.
Microsoft documentation on BCryptGenRandom:
16 bytes random number example:
The random number is then passed to xoroshiro128+ to generate the final number:
Helper value declaration
DefaultRandSeed declaration
Xoroshiro128+
Inline xoroshiro128+ code:
Nim code: (random.nim)
const DefaultRandSeed = Rand(
a0: 0x69B4C98CB8530805u64,
a1: 0xFED1DD3004688D67CAu64
)
helper_pureZrandom_55:
const helper = [0xbeac0467eba5facbu64, 0xd86b048b86aa9922u64] The use of BCryptGenRandom makes the effort of recreating the key nearly impossible. Different random numbers are generated in each ransomware execution and their randomness is seeded with system-related values such as the process ID, thread ID, number of CPU ticks, etc. (system preferred PRNG). Each encrypted system will require a different random key.
Key Generator Function
The initialized random number is used to seed the key generator function, along with more hardcoded constants: 0x61 ('a') and 0x71 ('z'). These constants are used to check that every generated byte in the keygen loop is in the lowercase a-z character range. The generated key length is 0x40, which is the parameter provided to the function.
The result is a 0x40 (64) bytes long key, which is later hashed and fed to the AES-256 key initialization function. The key offset is referenced by a byte that shows its size - "@" (0x40):
Encryption
A SHA256 hash is generated from it to make it 32 bytes long. The sha256 buffer is then passed to the key initialization function along with the hardcoded IV.
Dark Power compares the file size to encrypt with 9999999. It has two functions, one for big files and one for regular files:
Once it enters once of the encryption functions (will most likely use the regular files function more often) it creates a SHA256 as key. passes the hardcoded IV and proceeds to encrypt.
It is assumed that the ransomware tries to avoid high consumption of free RAM memory and therefore avoids using the readFile() function to read files larger than 9,999,999 bytes.
the function open() (Nim system/io library) is called twice:
once for reading the original file prior to encryption (mode: 0 - read-only).
Second time for with mode: 1 - write, where the file to encrypt is referenced to by the global variable staticFileEncs_ef_1668. It will read 1,000 bytes each time, inside a loop.
The encryption key and IV do not change between the big files and regular files encryption functions.
setFilePos(), readBuffer() and writeBuffer() Nim system/io functions are used to handle encrypted data from bug files.
If the file is of regular size, readFile() is used to read it:
And system/io writeFile() function is used to write the encrypted file data to the new file.
Dark Power clears all memory used to store the encryption key every time it finishes encrypting a single file. Malware analysts can recover encryption keys from memory if not wiped by the ransomware, as done with Bad Rabbit ransomware.
Hardcoded IV: \x73\x4B\xD9\xD6\xBA\xD5\x12\xA0\x72\x7F\xD6\x4C\x1E\xF4\x96\x87
The Iv is used to initialize the generated encryption key prior to AES encryption.
An example of a generated key string and hash can be seen below:
The encrypted file data is then written to the file and the ".dark_power" file extension is appended to the end o the filename. Once done, the encrypted file is "moved" to the old file using MoveFileExW() to overwrite it.
Dark Power prints the file encryption key to its window and then prints each file it encrypts, prefixed with "[ENC]". The volume shadow service (VSS) is terminated prior to encryption.
Encryption flow:
Generates a PRN using bCryptGenRandom as PRNG.
PRN is permutated with 8 rounds of XOR.
Uses PRN in key generator function and a hardcoded QWORD: 0x7A00000000000061.
Generates an alphabetic string with length of 0x40 (64) bytes as the key.
Key string is SHA256-hashed for to make it 32 bytes long.
A hardcoded IV is used to initialize the key: 734BD9D6BAD512A0727FD64C1EF49687.
Encrypts with AES-256-CTR.
Encrypted file hex contents:
Decryption with AES-256-CTR:
Dark Power crypto code is based on rijndael.nim from the Nimcrypto library:
File extensions to encrypt
Zdd9xw== .lib
+srR5xo= .pack
HPoFf/vlAcqhgQ== .search-ms
mKv21A== .dat
7nQFrw== .ini
2WPKKbRvgrMy7kkn .regtrans-ms
Rs6Yja0= .vhdx
2OfDog== .ps1
juPPo1g= .log2
hcUOf3w= .log1
Ry67FA== .blf
Ls2bcQ== .ldf
IVZTsh0= .lock
vxc3MWak .theme
gnyXFg== .msi
ucrvmA== .sys
Et8Nig== .wpx
DE5h1w== .cpl
AGZ0aQ== .adv
q+w4Bg== .msc
2IuUnw== .scr
tmLe2A== .bat
Qq9gtA== .key
0S7Ehg== .ico
C3x7ug== .dll
VyUu3Q== .hta
i5szU3eQs8j3fU2D3Eg= .deskthemepack
50gC/lLIVrg= .nomedia
ibkNrA== .msu
PNU0mA== .rtp
oujWrQ== .msp
BrZkdQ== .idx
cBm6/A== .ani
7LDVuA== 0.386
Eoh5YkpIMHs= .diagcfg
xvacgQ== .bin
qBegkg== .mod
0fDslQ== .ics
Pt+LaQ== .com
f31kpw== .hlp
BUT7sg== .spl
6MRY1Q== .nls
+HUqVA== .cab
EcJaPA== .exe
GA8j6E62n2k= .diagpkg
wwzyJA== .icl
V7q3Cw== .ocx
YpeceQ== .rom
3OEPSg== .prf
uslnxN0Hze2ZqQ== .themepack
7W0e8Z5T6d4o .msstyles
y1B+DQ== .lnk
zFRkp2g= .icns
LE15/g== .mpa
anPtyA== .drv
M4ax9Q== .cur
4K3iHwGKSis= .diagcab
q4Gp8g== .cmd
K7vzjQ== .shsFiles excluded from encryption
VMeErSjfz6tqxQ== readme.pdf
XBI0Hl0D ef.exe
vaqVt00= ntldr
9pnikdaXlYsn thumbs.db
zil19ZIrBW/+ojQ7 bootsect.bak
PW0bXk5hLFSnq1Y= autorun.inf
3fvSzpAOzGtU95RkEeM= ntuser.dat.log
PW0bXk5hLFSnq1Y= autorun.inf
3fvSzpAOzGtU95RkEeM= ntuser.dat.log
ex6+jSJvC88= boot.ini
McxRrmHxSRWV4vDk iconcache.db
whP+9ljT8/+/iYLV bootfont.bin
05eZWaRecNjsUA== ntuser.dat
kJiK8MrJBK7PaQ== ntuser.ini
j4SNW3SaFdCKGfQ= desktop.iniFolders excluded from encryption
rvYroaTPbN/YhQnAaQ== program files
x5oBQJL7lg== appdata
z1Gh8PE5vg== mozilla
7y0aYkApZTSkwRzj3rpGPg== application data
ayV+FcGW google
v96gFRD3vpjYk5Cs $recycle.bin
6pk0AhTcYI08Qq4= windows.old
Alf3gQhlYFAapYY= programdata
x2SfauVHg7WF8SA3TzKBT6beOCgsbwkMlA== system volume information
NuGGfuDteOLNZVwpFCq++oP/cA== program files (x86)
MVLN4Q== boot
slA0cVNjaLozXnE= tor browser
p4ur/FauHg== windows
4gFOgpk= intel
YxU9Ao27dos= perflogs
uSbvcjqAGTE= msocacheRansom Note Creation
Dark Power stores the entire ransom note in Base64 encoding. It is decoded and written to a PDF file named "readme.pdf", placed in every user folder in which files were encrypted.
The note is Base64 decoded and then written to "readme.pdf". The note is created in every folder where the ransomware encrypted files.
Decoded ransom note in memory:
Ransomware note contents:
DarkPower Tor negotiation website:
hxxp[:]//power[REMOVED][.]onion
Ransomware "Operational" Strings
Encrypted String | String | Purpose |
Yon+wV/58zyrfUkjKg== | win32_process | Used to build a process enumeration WMI query. |
pJ9n | cls | Used to clear the ransomware cmd window before file encryption. |
rn6rSlsc14iaLbaL1QAPWUSDQxc= | win32_nteventlogfile | Used to build an event log file enumeration WMI query. |
POseXCcrJRRvzc7KwA== | cleareventlog | Used to clear event logs. |
bkWZZHy/zhQHJxI= | .dark_power | Dark Power ransomware extension - appended to encrypted files. |
sSEfyrM4TQ== | :wtfbbq | Used in self-deletion function - renames primary data stream and deletes ransomware binary from disk before execution ends. |
JpafcNM= | cimv2 | Used to initialize the Winmgmts (WMI moniker) object. |
gK4lZ3SF5Zsm | drivetype | Used in logical disk drives enumeration (Win32_LogicalDisk). |
ERb2/VPn7sVjTgmTW2zz1NG1DfdCd18HEQ== | Error in selfSplitFile : | Hardcoded error when building encrypted files path (with ".dark_power" extension). |
dX7Fbg== | root | Used to initialize the Winmgmts (WMI moniker) object. |
iXlQkUlqGKCbAhkdFLFWKVW/LYvNPcuEuatJBG+OKQ== | SELECT * FROM Win32_LogicalDisk | Used in logical disk drives enumeration (Win32_LogicalDisk). |
HbdyXjcV3JsY6AM= | stopservice | Used to stop services. |
4Z5f7K3BaqF+ | terminate | Used to terminate processes. |
gkBGwuhlKUmvpBT01A== | win32_service | Used to build a service enumeration WMI query. |
LP7y | Yes | Printed to ransomware cmd window when "killing". |
z402qPjI | [ENC] | Prefix appended to each file encrypted by the ransomware that is printed to the window. |
CUbX8Fw= | Users | Used in building target paths for encryption. |
KwyGfg== | Name | Used in logical disk drives enumeration (Win32_LogicalDisk). |
fn8+BQ== | name | Used in process/service enumeration and blacklist comparison. |
gVV/oJ7h6NPE3ck7I6gxjg== | [NO] in killing | Printed to ransomware cmd window. |
fKrt0tY6Ye2dgPqhjekftfM= | [YES] in killing | Printed to ransomware cmd window. |
x0A7gsjxzPVMm7/jbUo= | select * from | Generic WMI query string used for enumeration. |
2g== | . | Used to initialize the Winmgmts (WMI moniker) object. |
aPY= | C: | Used in logical disk drives enumeration (Win32_LogicalDisk). |
ygDG | > | Additional prefix added before paths that were encrypted by the ransomware. |
yQ== | \ | Used in logical disk drives enumeration (Win32_LogicalDisk). |
enUAfHU= | Used by the ransomware to look for the ransom note in every directory it is going to encrypt (to verify it is not already encrypted). |
Shell Commands Execution
When the ransomware finishes terminating and stopping services, including the VSS, it clears the cmd.exe window in order to start printing file paths it is going to encrypt.
The executed command is the below:
cmd.exe /c cls
The "system" instruction executes the shell command. The result is a call to CreateProcessA, for C:\Windows\System32\cmd.exe /c cls:
WMI Queries
To interact with OS objects such as processes and services, the ransomware accesses the WMI service and the COM interface.
Winmgmts is the WMI moniker, which instructs the Windows Script Host (WSH) to use the WMI objects. In addition, it connects to the default namespace, and gets a SWbemServices object.
The ImpersonationLevel property is an integer that defines the COM impersonation level that is assigned to this object. {ImpersonateLevel=impersonate} allows WMI-owned processes and objects to use the credentials of caller user account.
WMI query strings - processes, services and logical drives enumeration:
The SWbemServices.ExecQuery() method is invoked to execute the WMI queries and retrieve objects.
The code is assumed to be imported from OffensiveNim or winmgmts.nim: (or both)
Logical Drives Enumeration
When the encryption stage is reached, after decrypting all necessary stack strings, logical drives are listed using the Win32_LogicalDisk WMI object class. As mentioned, the ransomware encrypts strings by need rather then decrypting them all in one go.
Process Termination
As usually done by ransomware, processes are terminated based on a predefined blacklist which is contained in the encrypted strings. Once strings are decrypted, the ransomware interacts with WMI and COM objects to kill the processes. In this case, the Win32_Process WMI object class is used - each process name is compared to those in the blacklist. If a process name matches, the it is terminated via the terminate class method: Win32_Process.Terminate()
The following processes are targeted and terminated by the ransomware: (each process name with its associated encrypted stack string)
ACCd52HjIgmOUHA= taskmgr.exe
o0Jadnu9I3l2OA== encsvc.exe
6Ge6/uXQt2ywVWjb powerpnt.exe
mWOyxZV0Kq0g ocssd.exe
1jXvKm9HBcsM steam.exe
f3lMgKzNZ2GfnMjtTiyi isqlplussvc.exe
t0DAA5Wg4FIbgiw= outlook.exe
oajXKubSyQ== sql.exe
wm+yWvFULv13 ocomm.exe
AbqNKqr6D9aDMqk= agntsvc.exe
lI8ZjIUAgdRv mspub.exe
l8HiOUkJ8v1ILuM= onenote.exe
NbC0pB1W1IytOqY= winword.exe
hm4/fY3TrbN4KQ== thebat.exe
M9om2cZ08BsS excel.exe
amixw/jXbo78YnRLcumwSw== mydesktopqos.exe
uII9VsoFNokjk7Y26Jo= ocautoupds.exe
D7xv1li/kvqf5iSwuizY thunderbird.exe
wX/aUEDZ72XUFHeH synctime.exe
iM+Ey5Vw6/LW3CMU infopath.exe
DBMSZZ6GZN1/xdKi/4AmiSBNP10= mydesktopservice.exe
XM6cxW6ds3G/QGA= firefox.exe
jFPPVYT0VfrFBw== oracle.exe
e/FULrsJc8Z7tUOr5zkwqxpe sqbcoreservice.exe
Pqb3wDD9/5OK2Pg= dbeng50.exe
Bhcl405/NE2FMvrdQ4+r tbirdconfig.exe
RTqEWl7Waohn4qqS msaccess.exe
O8dFhtGMj07B visio.exe
M4UQrk2RzauVLQ== dbsnmp.exe
mCAAxRLCZ4ZSpOk= wordpad.exe
p+ue2BCO3n0AGRTmDA== xfssvccon.exeStopping Services
Similarly to terminating processes, ransomware will look to stop services related to system recovery and backup (and also some that are simply related to the user's desktop experience). The service blacklist is contained in the encrypted strings and each service running on the endpoint is compared against that blacklist. The method of stopping is the same as in process termination, using the stopservice method in Win32_service object - Win32_Service.StopService()
On of the blacklisted services is no other than the VSS (Volume Shadow Snapshot service). Unicode string - "VSS":
The string "[YES] in killing" is appended to another string that indicates what the ransomware is looking to stop, in this case - the Volume Shadow Snapshot or Volume Shadow Copy service (VSS).
![Image 65 - "[YES] in killing VSS" ransomware string](https://static.wixstatic.com/media/396d6e_5a276d399ddb4cf989d45e580bc9764c~mv2.png/v1/fill/w_510,h_271,al_c,q_85,enc_auto/396d6e_5a276d399ddb4cf989d45e580bc9764c~mv2.png)
The string is printed to the Ransomware's visible terminal window:
The following services are targeted and stopped by the ransomware:
Z/j/A4I= veeam
MKGIisFb memtas
xDXK sql
Wbdi1bA= mssql
UrNYNcH1 backup
9qfc vss
JXjlyk07 sophos
obl0BA== svc$
h+Itw08Y mepocsClear event logs
To clear tracks and avoid leaving evidence for DFIR investigators, the ransomware clears Windows event log files on the compromised machines, including the security, application and system event logs.
First, two strings are decrypted, where the first is "win32_nteventlog". It will serve for interacting with Win32_NTEventLog WMI objects. the second string is cleareventlog, indicating the object method to be used on win32_nteventlog objects of multiple log files - Win32_EventLogFile.ClearEventLog()
Self-Deletion
Prior to termination, DarkPower deletes its own executable file from disk. Normally this wouldn't work, but in this case ":wtfbbq" is an alternate data stream (ADS) used to self delete the executable from the ransomware process. apparently it is a known technique for malware self-deletion prior to termination. DarkPower self-delete function works as follows:
Gets handle to own executable image (GetModuleFileNameW)
Renames own image file primary :$DATA ADS to specified stream ":wtfbbq"
Closes handle to file.
Opens a new handle to ransomware executable.
Closes handle to trigger deletion deposition.
Self-Deleted.
The code was taken from the OffensiveNim project repository:
Conclusions
Ransomware attacks pose a significant threat to organizations, with devastating and destructive consequences such as financial losses, sensitive data loss and reputational damage. It is crucial maintain an updated backup and disaster recovery plan, educate employees on cybersecurity best practices and have preventive security controls such as an EDR. Organizations should map all critical data channels in their network infrastructure to better detect unauthorized channels, especially traffic to the Internet.
Having an incident response plan (IRP) in place is a key for mitigating the consequences of security incidents. The Dark Power gang seems to not waste time and we expect to see more of them in the near future. The ransomware is fast and cross-platform, making it a powerful tool for the group and its affiliates.
Indicators of Compromise
Ransomware file names:
Ransomware archive: ef.rar
Ransomware executable: ef.exe
Ransomware RAR archive:
796f6d815fb52bb943fe019ead0d2713fc48b37307c44f904352d3db8e5fb923
Ransomware Nim executable:
33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389 (Analyzed sample)
11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394 (additional sample)
References
https://www.darkreading.com/vulnerabilities-threats/dark-power-ransomware-extorts-10-targets-less-than-a-month
https://www.bleepingcomputer.com/news/security/new-dark-power-ransomware-claims-10-victims-in-its-first-month/
https://www.trellix.com/en-us/about/newsroom/stories/research/shining-light-on-dark-power.html
https://www.nukib.cz/download/publications_en/2023-01_EN.pdf
https://medium.com/@tarcisioma/ransomware-encryption-techniques-696531d07bb9