The original DarkSide ransomware gang had quit its operation last month after the attack on Colonial Pipeline.
In May 2021, the DarkSide ransomware group targeted Colonial Pipeline, the largest fuel pipeline in the United States. The attack was so severe that it shut down 5,500 miles of pipeline along the East Coast.
As a repercussion, the group had its servers seized and ransom payments recovered by law enforcement authorities. The group then decided to quit its operation thus, that was the end of the DarkSide ransomware group.
Now, the IT security researchers at Trend Mirco have discovered a new scam campaign in which an “opportunistic low-level attacker” is pretending to be the DarkSide ransomware gang and trying to scam large sum of money from companies in the energy and food industry.
According to researchers, the attacker has been sending emails to companies claiming to have breached their servers and access sensitive data. The email further demands the ransom of a whopping 100 BTC ($4 million – £5,5 million) and threats to leak supposed data if their demands are not met.
However, unlike the DarkSide ransomware group, the attack fails to show any proof of hack or sample data. It is worth noting that DarkSide used its website to publish proof of hack or leak data.
In a blog post, Trend Micro’s senior threat researcher Cedric Pernet explained that:
The behavior behind this fraud campaign is very different from what DarkSide exhibited in its previous campaigns. DarkSide has always been able to show proof that they obtained stolen sensitive data. They also lead their targets to a website hosted on the Tor network. However, in this campaign, the email does not mention anything about proving that they have indeed obtained confidential or sensitive information.
Furthermore, the researchers did not find an encryption pattern followed by the DarkSide ransomware group which affirms that the attacker is trying to make quick and big bucks by taking advantage of the situation where the original group has disappeared without leaving any trace.
Additionally, a look at the attacker’s email sent to their supposed victims claims responsibility for the ransomware attack on JBS. In reality, the attack was carried out by the REvil (aka Sodinokibi).
For your information, JBS is the world’s largest meat processing company based in Brazil who suffered a ransomware attack on May 30, 2021. As a result, the company was forced to pay $11m (£7.8m) ransom in Bitcoin to Revil ransomware operators.
If you receive an email in which someone is claiming to be the DarkSide ransomware gang the best solution is to ignore it.