According to the latest research by Trend Micro, a fake DarkSide ransomware gang has been newly observed to be targeting energy and food sector organizations across numerous countries.
The fake DarkSide ransomware gang does so by dispatching fake emails to blackmail victims and demand ransom.
The original DarkSide Ransomware:
The original, malicious DarkSide ransomware has been known to be active since at least August 2020, where its latest and most significant victim was the U.S.-based Colonial Pipeline. The pipeline organization recently put forth that they paid a sum of $4.4 Million in ransom in exchange for the stolen data, out of which, the FBI was able to recover $2.3 Million.
The malicious ransomware gang recently shut down its ransomware-as-a-service operations.
How does the fake DarkSide ransomware operate:
Trend Micro notes that the fake DarkSide ransomware campaign was detected to have initiated on the 4th of June, providing that the threat actors send ransom notes specifically to targets in the food and energy sectors.
The emails that are sent by this ransomware gang contained claims the claim that the victims’ networks have been hacked.
They then threaten the victims to leak the hacked data and continue to demand a ransom of 100 Bitcoin which rounds up to about $3.6 Million.
No victims reported as of yet:
Thankfully, however, none of the targets of the fake DarkSide ransomware gang have reported any hacking attack or network compromise. Furthermore, it was also observed that the bitcoin wallet mentioned in the ransom email has not been sent or received any bitcoin payment. This directs the fact that the threat actors are certainly masquerading as the DarkSide ransomware gang.
“In the campaign we spotted, fortunately no one actually paid, probably due to the questionable details in the email. However, this does not remove the possibility that an attacker with more believable methods could successfully ensnare targets,” stated Trend Micro.
“DarkSide has always been able to show proof that they obtained stolen sensitive data. They also lead their targets to a website hosted on the Tor network,” noted Trend Micro. “However, in this campaign, the email does not mention anything about proving that they have indeed obtained confidential or sensitive information. The content used in the emails has led us to believe that they did not come from the said threat group, but from an opportunistic low-level attacker trying to profit off the current situation around DarkSide ransomware activities.”
The security research of the fake DarkSide ransomware was also able to find that the ransom campaign is primarily targeting organizations based in numerous countries such as Japan, Australia, the U.S., Argentina, Canada, and India. Active cases also suggest nations such as China, Colombia, Mexico, the Netherlands, Thailand, and the U.K.