Dark Power Ransomware: Targeting businesses with a unique ransom note

Dark Power is a ransomware strain that was first identified in 2020. It encrypts the victim’s files and requests a ransom payment in exchange for the decryption key. Dark Power’s ransom note is distinct from other ransomware campaigns. Instead of the usual plain text ransom note, the ransomware transmits a ransom note in PDF format. To receive a functioning decryptor, the ransomware message instructs victims to send the requested amount in XMR to the specified wallet within 72 hours.

Typically, exploit kits, spam emails, and malicious advertising campaigns are used to spread Dark Power ransomware. To evade detection after infecting a system, it tries to turn off security software and other safeguards. This ransomware is written in Nim, a cross-platform language that has gained popularity among malware writers. There are now two distinct ransomware variants, each with a unique encryption key and file format.

During operation, the ransomware randomly generates a 64-character ASCII string that is specific to each machine it targets and is used to create a decryption tool. Then, specific services and programs on the victim’s computer are terminated in order to speed up the encryption process. The files are renamed, and the extension is changed to “.dark power.” System-critical files, such as program files, web browser folders, DLLs, LIBs, INIs, CDMs, LNKs, BINs, and MSIs, are exempt from encryption in order to preserve the behavior of the infected system.

The Dark Power ransomware mostly targets businesses in the manufacturing, food production, IT, healthcare, and educational sectors. Algeria, the Czech Republic, Egypt, France, Israel, Peru, Turkey, and the United States are among the prime targets of the ransomware.