Fake DarkSide Ransomware Gang Targets Energy, Food SectorsFraudsters Send Emails with False Claims of Data Compromise, Trend Micro Says
Fraudsters falsely claiming to be the now-shuttered DarkSide ransomware gang are targeting organizations in the food and energy sectors by sending hoax emails to extort ransoms from victims, the security firm Trend Micro reports. None of the victims has detected any compromise so far.
Trend Micro says the ongoing email campaign started on June 4, with the fraudsters sending ransom notes exclusively to victims in the food and energy sectors. In the emails, the attackers claim the victims' networks have been breached and then proceed to demand a ransom of 100 bitcoins ($3.6 million). The fraudsters threaten to leak stolen data if the victims fail to pay a ransom.
None of the email recipients reported any network compromise, and the bitcoin wallet listed in the ransom note has not received or sent any bitcoin payment, which leads Trend Micro to conclude the fraudsters are impersonating the DarkSide group.
"DarkSide has always been able to show proof that they obtained stolen sensitive data. They also lead their targets to a website hosted on the Tor network," Trend Micro notes. "However, in this campaign, the email does not mention anything about proving that they have indeed obtained confidential or sensitive information. The content used in the emails has led us to believe that they did not come from the said threat group, but from an opportunistic low-level attacker trying to profit off the current situation around DarkSide ransomware activities."
The report further notes the fraud campaign mainly targeted victims in Japan as well as Australia, the U.S., Argentina, Canada, and India. But it's also active in China, Colombia, Mexico, the Netherlands, Thailand and the U.K.
Targeting Food and Energy Sectors
Trend Micro says the hackers behind the latest campaign are attempting to capitalize on the aftermath of the recent attack on Colonial Pipeline by DarkSide and the attack on meat processor JBS, which involved REvil.
Because the energy and food sectors provide essential goods and services on a daily basis, victim organizations are believed more likely to pay the ransom out of fear of adverse impact to their operations. "In the campaign we spotted, fortunately no one actually paid, probably due to the questionable details in the email. However, this does not remove the possibility that an attacker with more believable methods could successfully ensnare targets," Trend Micro says.
DarkSide, which had been active since August 2020, recently shut down its ransomware-as-a-service operation. In a joint alert released by the Cybersecurity and Infrastructure Security Agency and the FBI following the Colonial Pipeline attack, the agencies said the group gained initial access to victims' networks through phishing or exploiting remotely accessible accounts and systems. The group then deployed DarkSide ransomware to encrypt and steal sensitive data, after which it threatened to publicly release the data if the ransom was not paid.
In June, the FBI recovered $2.3 million of the $4.4 million in ransom that Colonial Pipeline paid as ransom to DarkSide by tracking the bitcoin public ledger.