A nascent ransomware gang has burst onto the scene with vigor, breaching at least 10 organizations in less than a month’s time.
The group, which Trellix researchers have named “Dark Power,” is in most ways like any other ransomware group. But it separates itself from the pack due to sheer speed and lack of tact — and its use of the Nim programming language.
“We first observed them in the wild around the end of February,” notes Duy Phuc Pham, one of the authors of a Thursday blog post profiling Dark Power. “So it’s only been half a month, and already 10 victims are affected.”
What’s odd is that there seems to be no rhyme or reason as to whom Dark Power targets, Trellix researchers said. The group has added to its body count in Algeria, the Czech Republic, Egypt, France, Israel, Peru, Turkey, and the US, across the agricultural, education, healthcare, IT, and manufacturing sectors.
Using Nim as an Advantage
One other significant way that Dark Power distinguishes itself is in its choice of programming language.
“We see that there is a trend where cybercriminals are extending to other programming languages,” Pham says. The trend is fast spreading among threat actors. “So even though they’re using the same kind of tactics, the malware will evade detection.”
Dark Power utilizes Nim, a high-level language its creators describe as efficient, expressive, and elegant. Nim was “a bit of an obscure language originally,” the authors noted in their blog post, but “is now more prevalent with regards to malware creation. Malware creators use it since it is easy to use and it has cross-platform capabilities.”
It also makes it more difficult for the good guys to keep up. “The cost of the continuous upkeep of knowledge from the defending side is higher than the attacker’s required skill to learn a new language,” according to Trellix.
What Else We Know About Dark Power
The attacks themselves follow a well-worn ransomware playbook: Social-engineering victims through email, downloading and encrypting files, demanding ransoms, and extorting victims multiple times regardless of whether they pay.
The gang also engages in classic double extortion. Even before victims know they’ve been breached, Dark Power “might have already collected their sensitive data,” Pham explains. “And then they use it for the second ransom. This time they say that if you’re not going to pay, we’re going to make the information public or sell it on the Dark Web.”
As always, it’s a Catch-22, though, because “there is no guarantee that if you pay the ransom, there will be no consequences.”
Thus, enterprises need to have policies and procedures in place to protect themselves, including the ability to detect Nim binaries.
“They can try to establish robust backup and recovery systems,” says Pham. “This is, I think, the most important thing. We also suggest that organizations have a very precise, very powerful incident response plan in place before all of this can happen. With that, they can reduce the impact of the attack if it occurs.”
Leave a Reply