Fake DarkSide Ransomware Gang Targets Energy, Food Sectors

A fake group claiming to be the DarkSide ransomware gang is targeting organizations in the food and energy sectors by sending hoax emails to extort ransoms from victims, a report by security firm Trend Micro says. None of the victims has detected any compromise so far.

Trend Micro says the ongoing email campaign started on June 4, with the attackers sending hoax ransom notes exclusively to victims in the food and energy sectors. In the email, the attackers claim the victims' networks have been breached, and then proceed to demand a ransom of 100 bitcoins ($3.6 million). If the victims fail to pay the ransom, the hackers then threaten to leak the alleged hack data.

However, as none of the email recipients reported any network compromise, and also because the bitcoin wallet listed in the ransom note has not received or sent any Bitcoin payment, Trend Micro notes the group appears to be a fake DarkSide group.

"DarkSide has always been able to show proof that they obtained stolen sensitive data. They also lead their targets to a website hosted on the Tor network," Trend Micro notes. "However, in this campaign, the email does not mention anything about proving that they have indeed obtained confidential or sensitive information. The content used in the emails has led us to believe that they did not come from the said threat group, but from an opportunistic low-level attacker trying to profit off the current situation around DarkSide ransomware activities."

The report further notes the campaign hit most victims in Japan, followed by several other countries such Australia, the U.S., Argentina, Canada, India. It is also active in China, Colombia, Mexico, Netherlands, Thailand, and the U.K.

Targeting Food and Energy Sectors

Trend Micro says the hackers behind the latest campaign are specifically targeting the food and energy sectors in order to capitalize on the aftermath of the May 7 Colonial Pipeline, and May 31 attack on meat processor JBS, which saw DarkSide and REvil group disrupt the companies, demanding millions in bitcoin.

Since both the energy and food sectors provide essential goods or services on a daily basis, victim organizations are believed more likely to pay the ransom out of fear of adverse impact to their operations following a ransomware attack, the report notes. Hence, the attackers behind the latest campaign are likely capitalizing on this fear to extort ransom. "In the campaign we spotted, fortunately no one actually paid, probably due to the questionable details in the email. However, this does not remove the possibility that an attacker with more believable methods could successfully ensnare targets," says Trend Micro.

DarkSide Activities

DarkSide is a relatively new ransomware strain that has been active since August 2020 and operated as a ransomware-as-a-service model. In a joint alert released by the Cybersecurity and Infrastructure Security Agency and the FBI in May following the Colonial Pipeline attack, the agencies said the group gained initial access to the victim's network through phishing or exploiting remotely accessible accounts and systems. The group then deployed DarkSide ransomware to encrypt and steal sensitive data, after which it threatened to publicly release the data if the ransom is not paid.

Although the group announced its closure on May 14, a report by security firm FortiGuard Labs in the same month found a DarkSide ransomware variant with destructive capabilities that enabled attackers to seek disk partition information and encrypt the files in multiple disks (see: Researchers Uncover Another DarkSide Ransomware Variant).

In June, the FBI recovered $2.3 million of the $4.4 million in ransom that Colonial Pipeline paid as ransom to DarkSide by tracking the bitcoin public ledger.