BleepingComputer reports that the newly emergent Dark Power ransomware operation has already compromised 10 organizations in the U.S. and other parts of the world since Jan. 29, with impacted entities being demanded to pay $10,000 as ransom.
Based on the Nim programming language, the Dark Power payload facilitates the creation of a randomized 64-character long ASCII string to commence the encryption algorithm upon its execution before it proceeds with ending certain machine services and processes, as well as the Volume Shadow Copy Service and data backup services, a report from Trellix revealed. After other anti-malware software solutions are killed, Dark Power then undergoes a 30-second sleep as it deletes Windows system logs and the console to prevent data analysis.
Researchers also noted the existence of two Dark Power payloads in the wild, the first of which hashes the ASCII string with the SHA-256 algorithm, with the result split into an AES key and an initialization vector, while the other leverages SHA-256 digest as the AES key, with a 128-bit value set as the encryption nonce.
Operations of California's Solano Partner Libraries and St. Helena, or SPLASH, continue to be interrupted weeks after the county's library network was targeted by a ransomware attack earlier this month, StateScoop reports.
Several rootkit-like capabilities could be obtained by threat actors through the exploitation of vulnerabilities in Windows' DOS-to-NT path conversion process, including file and process concealment and compromised prefetch file analysis, reports The Hacker News.
Open-source DevOps software project GitLab has also been impacted by the same security issue in GitHub comments that has been exploited by threat actors through Microsoft repository-linked URLs to facilitate the distribution of malware that was made to seem to originate from credible entities' official source code repositories, according to BleepingComputer.