Ransomware Roundup – Dark Power and PayMe100USD Ransomware | FortiGuard Labs

On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.

This latest edition of the Ransomware Roundup covers the Dark Power and PayME100USD ransomware.

Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts files on the compromised machine and demands ransom for file decryption
Severity level: High

Dark Power Ransomware

Overview

Dark Power is a relatively new ransomware launched in early February 2023. This is a rare ransomware breed in that it was written in the Nim programming language.

Dark Power Ransomware Infection Vector

Information on the infection vector used by this group is not currently available. However, it is not likely to differ significantly from other ransomware groups.

Dark Power Ransomware Execution

Once the Dark Power ransomware is executed, it terminates the following processes to encrypt files that are presently in use:

taskmgr.exe, encsvc.exe, powerpnt.exe, ocssd.exe, steam.exe, isqlplussvc.exe, outlook.exe, sql.exe, ocomm.exe, agntsvc.exe, mspub.exe, onenote.exe, winword.exe, thebat.exe, excel.exe, mydesktopqos.exe, ocautoupds.exe, thunderbird.exe, synctime.exe, infopath.exe, mydesktopservice.exe, firefox.exe, oracle.exe, sqbcoreservice.exe, dbeng50.exe, tbirdconfig.exe, msaccess.exe, visio.exe, dbsnmp.exe, wordpad.exe, xfssvccon.exe

It also stops the following services:

veeam, memtas, sql, mssql, backup, vss, Sophos, svc$, mepocs

The ransomware then encrypts files and appends a “.dark_power” extension to the affected files.

Screenshot of Figure 1. Files encrypted by Dark Power ransomware


Figure 1. Files encrypted by Dark Power ransomware

It avoids encrypting files and directories with the following extensions:

.lib, .pack, .search-ms, .dat, .ini, .regtrans-ms, .vhdx, .ps1, .log2, .log1, .blf, .ldf, .lock, .theme, .msi, .sys, .wpx, .cpl, .adv, .msc, .scr, .bat, .key, .ico, .dll, .hta, .deskthemepack, .nomedia, .msu, .rtp, .msp, .idx, .ani, .386, .diagcfg, .bin, .mod, .ics, .com, .hlpF, .spl, .nls, .cab, .exe, .diagpkg, .icl, .ocx, .rom, .prf, .themepack, .msstyles, .lnk, .icns, .mpa, .drv, .cur, .diagcab, .cmd, .shs, readme.pdf (file name used for ransom note dropped by Dark Power ransomware), ef.exe (file name used for Dark Power ransomware), ntldr, thumbs.db, bootsect.bak, autorun.inf, ntuser.dat.log, boot.ini, iconcache.db, bootfont.bin, ntuser.dat, ntuser.ini, desktop.ini, program files, appdata, mozilla, $windows.~ws, application data, $windows.~bt, google, $recycle.bin, windows.old, programdata, system volume information, program files (x86), boot, tor browser, windows, intel, perflogs, msocache

Once files have been encrypted, Dark Power drops a lengthy ransom note as a “readme.pdf”, as seen in Figure 1. The ransom note threatens victims that unless they send 10,000 USD worth of Monero (XMR) cryptocurrency to the attacker’s wallet within 72 hours, their encrypted files will be lost forever.

Screenshot of Figure 2. Page 1 of the Dark Power ransomware’s ransom note


Figure 2. Page 1 of the Dark Power ransomware’s ransom note

Screenshot of Figure 3. Page 2 of the Dark Power ransomware’s ransom note


Figure 3. Page 2 of the Dark Power ransomware’s ransom note

Screenshot of Figure 4. Page 3 of the Dark Power ransomware’s ransom note


Figure 4. Page 3 of the Dark Power ransomware’s ransom note

Screenshot of Figure 5. Page 4 of the Dark Power ransomware’s ransom note


Figure 5. Page 4 of the Dark Power ransomware’s ransom note

Screenshot of Figure 6. Page 5 of the Dark Power ransomware’s ransom note


Figure 6. Page 5 of the Dark Power ransomware’s ransom note

During our research, we did not see the Dark Power ransomware delete volume shadow copies of the affected machine. As a result, such encrypted files are potentially recoverable. Note that the ransomware stops the Volume Shadow Copy (VSS) service before encrypting files. As such, files not written to a Volume Shadow Copy before the ransomware encrypted them are not recoverable from a backup created through the VSS.

The ransom note also claims that the Dark Power threat actor stole data from the compromised machine, which will be published to its leak site on Tor if a ransom is not paid. At the time of this investigation, the leak site listed ten companies in various industries from nine countries in North America, Europe, and Africa.

Screenshot of Figure 7. FortiRecon data on Industries targeted by DarkPower Ransomware Group.


Figure 7. FortiRecon data on Industries targeted by DarkPower Ransomware Group.

Screenshot of Figure 8. The Dark Power ransomware’s leak site on Tor


Figure 8. The Dark Power ransomware’s leak site on Tor

Screenshot of Figure 9. The data leak page for one of the affected companies


Figure 9. The data leak page for one of the affected companies

Stolen data does not appear to be kept on the leak site. The site claims that the attacker will share the file location once contacted via qTox.

PayMe100USD Ransomware

Overview

PayMe100USD is a new ransomware written in Python that was discovered in March 2023. The malware has basic functionality and performs ordinary ransomware activities.

PayMe100USD Ransomware Infection Vector

The PayMe100USD ransomware samples that FortiGuard Labs collected have a Microsoft Bing logo and a file name of “newbing.exe”. As such, the ransomware was likely distributed via fake Bing installers.

PayMe100USD Ransomware Execution

Once the PayMe100USD ransomware is executed, it encrypts files in the D, E, and F drives and the user directory in the C drive. It adds a “.PayMe100USD” file extension to the affected files. The ransomware avoids encrypting files with the following file extensions:

.py, .pem, .exe, .mp4, .mkv, .payme100usd (file extensions of the files encrypted by PayMe100USD ransomware) , .iso

Screenshot of Figure 10. Files encrypted by PayMe100USD ransomware and its ransom notes


Figure 10. Files encrypted by PayMe100USD ransomware and its ransom notes

The ransomware then drops eight ransom notes, labeled “PayMe   1.txt” to “PayMe    8.txt”. Although the last number in the file names differ, all ransom notes are identical. The ransom notes ask victims to pay 100 USD worth of Bitcoin within 48 hours to recover the affected files and stop the alleged stolen data from being sold on the dark web.

Screenshot of Figure 11. PayMe100USD ransomware’s ransom note


Figure 11. PayMe100USD ransomware’s ransom note

Fortinet Protection

Fortinet customers are already protected from this malware variant through FortiGuard’s Web Filtering, AntiVirus, and FortiEDR services, as follows:

FortiGuard Labs detects known Dark Power ransomware variants with the following AV signatures:

  • W64/Filecoder.HE!tr.ransom
  • W64/Kryptik.CWP!tr

FortiGuard Labs detects known PayMe100USD ransomware variants with the following AV signature:

  • W32/Filecoder_L0v3sh3.A!tr.ransom

IOCs

File-based IOCs:

SHA256

Malware

33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389

Dark Power ransomware

11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394

Dark Power ransomware

c2aa5d89d1fb63c65806a789f529daf774ceff411338c43438ea6c0175e10fd0

PayMe100USD ransomware

4daca38854ba0a471d25250f106122ff81b8bbda2b19569a9e0b6e7f56187746

PayMe100USD ransomware

FortiGuard Labs Guidance

Due to the ease of disruption, damage to daily operations, potential impact to an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.

Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

Our FREE NSE training: NSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.

Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.

As part of the industry’s leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.

Best Practices include Not Paying a Ransom

Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because payment does not guarantee that files will be recovered. According to a U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

How Fortinet Can Help

FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. And our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard AI-powered security services portfolio.

Source: https://www.fortinet.com/blog/threat-research/dark-power-and-payme100usd-ransomware