Impersonators create an impression that DarkSide Ransomware is back. Attackers send fake emails designed to extort companies in the energy and food industries and purport to be the notorious ransomware gang.
Darkside launched in August 2020. It targeted corporate networks and demanded millions of dollars in ransom and was thrust into the spotlight after hitting a major US pipeline.
In a new report, researchers from Trend Micro revealed that a new campaign impersonating DarkSide started in June.
“Several companies in the energy and food industry have recently received threatening emails supposedly from DarkSide,” said Trend Micro researcher Cedric Pernet.
“In this email, the threat actor claims that they have succesfully hacked the target’s network and gained access to sensitive information, which will be disclosed publicly if a ransom of 100 bitcoins (BTC) is not paid.”
The campaign works by sending emails claiming that the ransomware gang stole data from the company’s servers. The email then asks the victims to pay a ransom of 100 bitcoins.
The extortion message reads as follows:
Hi, this is DarkSide.
It took us a lot of time to hack your servers and access all your accounting reporting. Also, we got access to many financial documents and other data that can greatly affect your reputation if we publish them.
It was difficult, but luck was helped by us – one of your employees is extremely unqualified in network security issues. You could hear about us from the press – recently we held a successful attack on the Colonial Pipeline.
For non-disclosure of your confidential information, we require not so much – 100 bitcoins. Think about it, these documents may be interested not only by ordinary people, but also the tax service and other organizations, if they are in open access … We are not going to wait long – you have several days.
Our bitcoin wallet – bc1qcwrl3yaj8pqevj5hw3363tycx2x6m4nkaaqd5e
All the emails contain the same extortion demand and provide the same bitcoin address.
The Bitcoin address has not seen any payments and will most likely not see in the future due to the ridiculously high $3.6 million Bitcoin demand.
According to Trend Micro, the emails they have seen are coming from darkside.xyz and darkside.solpatu which are throwaway domain names.
It is believed that the attackers are targeting the energy and food industries because recently companies from those sectors paid out large ransoms.