Companies in the US and abroad have been receiving threatening emails supposedly from the infamous DarkSide ransomware group, but a cybersecurity expert says an imposter likely sent the messages in an attempt to take advantage of the real DarkSide group’s notoriety.
The social engineering email attack began on June 04, targeting different companies from around the world. The emails allege to be from the DarkSide group, and the sender claims that it “took a lot of time to hack” the recipient’s servers. The sender then threatens to publish the financial documents it managed to “steal” from the recipient, unless a ransom is paid. Each email also contains a link to the sender’s Bitcoin wallet, which the sender has instructed the recipient to deposit 100 bitcoins into as ransom.
However, cybersecurity company Trend Micro said that it has reasons to believe that the emails have nothing to do with the real DarkSide group. In a blog report on its website, Trend Micro said that the email is very different from what the real ransomware group does, as DarkSide has always been able to produce proof that it obtained stolen sensitive data. The security company also noted that DarkSide also leads its targets to a website hosted on the Tor network.
The latest string of emails supposedly from DarkSide makes no mention about proof that any systems were hacked.
Trend Micro also reported that the real DarkSide group typically launches its ransomware to paralyze their victims’ operations before demanding ransom. On the other hand, the impostors just sent a threat and a ransom demand claiming that they already had the stolen data, without showing any proof.
Perhaps the most damning evidence that Trend Micro found against the threat actor posing as DarkSide was that the actor claimed that JBS was one of its latest victims. The JBS attack was not attributed to DarkSide, but to REvil/Sodinokibi.
Trend Micro managed to learn more about the threatening emails. The company found, based on the sender’s IP address, that the threat actor targeted only businesses in the energy and food industries. The campaign targeted companies in Japan most frequently (25% of all emails sent), but other countries affected included Australia (12.5%), the US (12.5%), Argentina (8.3%), Canada (8.3%), and India (8.3%). The remaining 25.1% of the emails were sent to companies of other countries.
“In the aftermath, an attack’s impact could raise fears about food and/or energy security, triggering panic buying as the public worries about possible spikes in prices that could be caused by the attack,” Trend Micro said in its blog report.
“This is one of the reasons why attackers, real and fake alike, would choose to launch campaigns on essential supply providers: their targets are aware of the far-reaching immediate effects an attack could have, affecting not just the company itself, but a slew of consumers as well. Considering this, the targets would be more likely to cave into the ransom demands.”