Extortion Emails by Bogus DarkSide Gang Targets Energy and Food Industry

In bogus extortion emails sent to firms in the energy and food industries, threat actors impersonate the now-defunct DarkSide Ransomware campaign. The Darkside ransomware attack first hit business networks in August 2020, asking millions of dollars in exchange for a decryptor and a pledge not to reveal stolen data. 

Following the ransomware gang's attack on the Colonial Pipeline, the country's largest petroleum pipeline, the ransomware gang was thrown into the spotlight, with the US government and law enforcement focusing their attention on the group. Because of the heightened scrutiny from law officials, DarkSide abruptly shut down its operations in May for fear of being arrested. 

Trend Micro researchers reveal in a new analysis that a new extortion campaign began in June, with threat actors imitating the DarkSide ransomware group. "Several companies in the energy and food industry have recently received threatening emails supposedly from DarkSide," explains Trend Micro researcher Cedric Pernet. "In this email, the threat actor claims that they have successfully hacked the target's network and gained access to sensitive information, which will be disclosed publicly if a ransom of 100 bitcoins (BTC) is not paid." 

The email campaign began on June 4 and has been targeting a few targets every day since then. Threatening emails were sent to the generic email accounts of a few firms. For each target, the Bitcoin wallet at the bottom of the email is the same. None of the aforementioned wallets have received or sent any Bitcoin payments. There has been no actual attack linked to the emails, and no new targets have been discovered. 

The researchers discovered that the same attacker had filled contact forms on many companies' websites in addition to sending targeted emails to them. The content of the web forms was identical to the text of the emails. They were able to obtain the sender's IP address, 205[.]185[.]127[.]35, which is a Tor network exit node. 

The threat actor appears to be exclusively interested in the energy (oil, gas, and/or petroleum) and food businesses, based on the telemetry data; in fact, all of their targets are in these industries. The campaign had the most impact on Japan, followed by Australia, the United States, Argentina, Canada, and India. China, Colombia, Mexico, the Netherlands, Thailand, and the United Kingdom are among the other countries affected.