FortiGuard Labs Threat Research
Ransomware Roundup – Dark Power and PayMe100USD Ransomware
On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.
This latest edition of the Ransomware Roundup covers the Dark Power and PayME100USD ransomware.
Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts files on the compromised machine and demands ransom for file decryption
Severity level: High
Dark Power Ransomware
Overview
Dark Power is a relatively new ransomware launched in early February 2023. This is a rare ransomware breed in that it was written in the Nim programming language.
Dark Power Ransomware Infection Vector
Information on the infection vector used by this group is not currently available. However, it is not likely to differ significantly from other ransomware groups.
Dark Power Ransomware Execution
Once the Dark Power ransomware is executed, it terminates the following processes to encrypt files that are presently in use:
taskmgr.exe, encsvc.exe, powerpnt.exe, ocssd.exe, steam.exe, isqlplussvc.exe, outlook.exe, sql.exe, ocomm.exe, agntsvc.exe, mspub.exe, onenote.exe, winword.exe, thebat.exe, excel.exe, mydesktopqos.exe, ocautoupds.exe, thunderbird.exe, synctime.exe, infopath.exe, mydesktopservice.exe, firefox.exe, oracle.exe, sqbcoreservice.exe, dbeng50.exe, tbirdconfig.exe, msaccess.exe, visio.exe, dbsnmp.exe, wordpad.exe, xfssvccon.exe
It also stops the following services:
veeam, memtas, sql, mssql, backup, vss, Sophos, svc$, mepocs
The ransomware then encrypts files and appends a “.dark_power” extension to the affected files.
Figure 1. Files encrypted by Dark Power ransomware
It avoids encrypting files and directories with the following extensions:
.lib, .pack, .search-ms, .dat, .ini, .regtrans-ms, .vhdx, .ps1, .log2, .log1, .blf, .ldf, .lock, .theme, .msi, .sys, .wpx, .cpl, .adv, .msc, .scr, .bat, .key, .ico, .dll, .hta, .deskthemepack, .nomedia, .msu, .rtp, .msp, .idx, .ani, .386, .diagcfg, .bin, .mod, .ics, .com, .hlpF, .spl, .nls, .cab, .exe, .diagpkg, .icl, .ocx, .rom, .prf, .themepack, .msstyles, .lnk, .icns, .mpa, .drv, .cur, .diagcab, .cmd, .shs, readme.pdf (file name used for ransom note dropped by Dark Power ransomware), ef.exe (file name used for Dark Power ransomware), ntldr, thumbs.db, bootsect.bak, autorun.inf, ntuser.dat.log, boot.ini, iconcache.db, bootfont.bin, ntuser.dat, ntuser.ini, desktop.ini, program files, appdata, mozilla, $windows.~ws, application data, $windows.~bt, google, $recycle.bin, windows.old, programdata, system volume information, program files (x86), boot, tor browser, windows, intel, perflogs, msocache
Once files have been encrypted, Dark Power drops a lengthy ransom note as a “readme.pdf”, as seen in Figure 1. The ransom note threatens victims that unless they send 10,000 USD worth of Monero (XMR) cryptocurrency to the attacker’s wallet within 72 hours, their encrypted files will be lost forever.
Figure 2. Page 1 of the Dark Power ransomware’s ransom note
Figure 3. Page 2 of the Dark Power ransomware’s ransom note
Figure 4. Page 3 of the Dark Power ransomware’s ransom note
Figure 5. Page 4 of the Dark Power ransomware’s ransom note
Figure 6. Page 5 of the Dark Power ransomware’s ransom note
During our research, we did not see the Dark Power ransomware delete volume shadow copies of the affected machine. As a result, such encrypted files are potentially recoverable. Note that the ransomware stops the Volume Shadow Copy (VSS) service before encrypting files. As such, files not written to a Volume Shadow Copy before the ransomware encrypted them are not recoverable from a backup created through the VSS.
The ransom note also claims that the Dark Power threat actor stole data from the compromised machine, which will be published to its leak site on Tor if a ransom is not paid. At the time of this investigation, the leak site listed ten companies in various industries from nine countries in North America, Europe, and Africa.
Figure 7. FortiRecon data on Industries targeted by DarkPower Ransomware Group.
Figure 8. The Dark Power ransomware’s leak site on Tor
Figure 9. The data leak page for one of the affected companies
Stolen data does not appear to be kept on the leak site. The site claims that the attacker will share the file location once contacted via qTox.
PayMe100USD Ransomware
Overview
PayMe100USD is a new ransomware written in Python that was discovered in March 2023. The malware has basic functionality and performs ordinary ransomware activities.
PayMe100USD Ransomware Infection Vector
The PayMe100USD ransomware samples that FortiGuard Labs collected have a Microsoft Bing logo and a file name of “newbing.exe”. As such, the ransomware was likely distributed via fake Bing installers.
PayMe100USD Ransomware Execution
Once the PayMe100USD ransomware is executed, it encrypts files in the D, E, and F drives and the user directory in the C drive. It adds a “.PayMe100USD” file extension to the affected files. The ransomware avoids encrypting files with the following file extensions:
.py, .pem, .exe, .mp4, .mkv, .payme100usd (file extensions of the files encrypted by PayMe100USD ransomware) , .iso
Figure 10. Files encrypted by PayMe100USD ransomware and its ransom notes
The ransomware then drops eight ransom notes, labeled “PayMe 1.txt” to “PayMe 8.txt”. Although the last number in the file names differ, all ransom notes are identical. The ransom notes ask victims to pay 100 USD worth of Bitcoin within 48 hours to recover the affected files and stop the alleged stolen data from being sold on the dark web.
Figure 11. PayMe100USD ransomware’s ransom note
Fortinet Protection
Fortinet customers are already protected from this malware variant through FortiGuard’s Web Filtering, AntiVirus, and FortiEDR services, as follows:
FortiGuard Labs detects known Dark Power ransomware variants with the following AV signatures:
- W64/Filecoder.HE!tr.ransom
- W64/Kryptik.CWP!tr
FortiGuard Labs detects known PayMe100USD ransomware variants with the following AV signature:
- W32/Filecoder_L0v3sh3.A!tr.ransom
IOCs
File-based IOCs:
SHA256 |
Malware |
33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389 |
Dark Power ransomware |
11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394 |
Dark Power ransomware |
c2aa5d89d1fb63c65806a789f529daf774ceff411338c43438ea6c0175e10fd0 |
PayMe100USD ransomware |
4daca38854ba0a471d25250f106122ff81b8bbda2b19569a9e0b6e7f56187746 |
PayMe100USD ransomware |
FortiGuard Labs Guidance
Due to the ease of disruption, damage to daily operations, potential impact to an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.
Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:
The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.
Our FREE NSE training: NSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.
Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.
As part of the industry's leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.
Best Practices include Not Paying a Ransom
Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because payment does not guarantee that files will be recovered. According to a U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).
How Fortinet Can Help
FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. And our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).
Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard AI-powered security services portfolio.
