Fake DarkSide Ransomware Gang Targets Energy, Food Sectors
A fake group claiming to be the DarkSide ransomware gang is targeting organizations in the food and energy sectors by sending hoax emails to extort ransoms from victims, a report by security firm Trend Micro says. None of the victims has detected any compromise so far.
Trend Micro says the ongoing email campaign started on June
4, with the attackers sending hoax ransom notes exclusively to victims in the
food and energy sectors. In the email, the attackers claim the victims'
networks have been breached, and then proceed to demand a ransom of 100
bitcoins ($3.6 million). If the victims fail to pay the ransom, the hackers
then threaten to leak the alleged hack data.
However, as none of the email recipients reported any
network compromise, and also because the bitcoin wallet listed in the ransom
note has not received or sent any Bitcoin payment, Trend Micro notes the group
appears to be a fake DarkSide group.
"DarkSide has always been able to show proof that they
obtained stolen sensitive data. They also lead their targets to a website
hosted on the Tor network," Trend Micro notes. "However, in this
campaign, the email does not mention anything about proving that they have
indeed obtained confidential or sensitive information. The content used in the
emails has led us to believe that they did not come from the said threat group,
but from an opportunistic low-level attacker trying to profit off the current
situation around DarkSide ransomware activities."
The report further notes the campaign hit most victims in
Japan, followed by several other countries such Australia, the U.S., Argentina,
Canada, India. It is also active in China, Colombia, Mexico, Netherlands,
Thailand, and the U.K.
Targeting Food and Energy Sectors
Trend Micro says the hackers behind the latest campaign are
specifically targeting the food and energy sectors in order to capitalize on
the aftermath of the May 7 Colonial Pipeline, and May 31 attack on meat
processor JBS, which saw DarkSide and REvil group disrupt the companies,
demanding millions in bitcoin.
Since both the energy and food sectors provide essential
goods or services on a daily basis, victim organizations are believed more
likely to pay the ransom out of fear of adverse impact to their operations
following a ransomware attack, the report notes. Hence, the attackers behind
the latest campaign are likely capitalizing on this fear to extort ransom.
"In the campaign we spotted, fortunately no one actually paid, probably
due to the questionable details in the email. However, this does not remove the
possibility that an attacker with more believable methods could successfully
ensnare targets," says Trend Micro.
DarkSide Activities
DarkSide is a relatively new ransomware strain that has been
active since August 2020 and operated as a ransomware-as-a-service model. In a
joint alert released by the Cybersecurity and Infrastructure Security Agency
and the FBI in May following the Colonial Pipeline attack, the agencies said
the group gained initial access to the victim's network through phishing or
exploiting remotely accessible accounts and systems. The group then deployed
DarkSide ransomware to encrypt and steal sensitive data, after which it
threatened to publicly release the data if the ransom is not paid.
Although the group announced its closure on May 14, a report
by security firm FortiGuard Labs in the same month found a DarkSide ransomware
variant with destructive capabilities that enabled attackers to seek disk
partition information and encrypt the files in multiple disks (see: Researchers
Uncover Another DarkSide Ransomware Variant).
In June, the FBI recovered $2.3 million of the $4.4 million
in ransom that Colonial Pipeline paid as ransom to DarkSide by tracking the
bitcoin public ledger.
Comments
Post a Comment