Fake DarkSide gang targets energy, food industry in extortion emails

Threat actors impersonate the now-defunct DarkSide Ransomware operation in fake extortion emails sent to companies in the energy and food sectors.

The Darkside ransomware operation launched in August 2020, targeting corporate networks and demanding millions of dollars for a decryptor and a promise not to release stolen data.

After hitting Colonial Pipeline, the largest fuel pipeline in the US, the ransomware gang was thrust into the spotlight, with the US government and law enforcement shifting their focus to the group.

This increased scrutiny by enforcement led to DarkSide suddenly shutting down its operation in May out of fear of being arrested.

Since then, there has been no additional activity from its group or known aliases.

Extortionists impersonate DarkSide gang

In a new report, Trend Micro researchers reveal that a new extortion campaign started in June where threat actors are impersonating the DarkSide ransomware gang.

"Several companies in the energy and food industry have recently received threatening emails supposedly from DarkSide," explains Trend Micro researcher Cedric Pernet.

"In this email, the threat actor claims that they have succesfully hacked the target's network and gained access to sensitive information, which will be disclosed publicly if a ransom of 100 bitcoins (BTC) is not paid."

This new extortion campaign consists of emails sent to companies or through their website contact forms that state the ransomware gang hacked the company's servers and stole data during the attack. The email says that the company must pay 100 bitcoins to an enclosed bitcoin address, or threat actors will publicly release the documents.

You can read the entire extortion message below:

Hi, this is DarkSide.

It took us a lot of time to hack your servers and access all your accounting reporting. Also, we got access to many financial documents and other data that can greatly affect your reputation if we publish them.
It was difficult, but luck was helped by us - one of your employees is extremely unqualified in network security issues. You could hear about us from the press - recently we held a successful attack on the Colonial Pipeline.

For non-disclosure of your confidential information, we require not so much - 100 bitcoins. Think about it, these documents may be interested not only by ordinary people, but also the tax service and other organizations, if they are in open access ... We are not going to wait long - you have several days.

Our bitcoin wallet - bc1qcwrl3yaj8pqevj5hw3363tycx2x6m4nkaaqd5e

According to Trend Micro, all of the emails use the same bitcoin address. An extortion demand submitted through a site's contact form and seen by BleepingComputer showed that this bitcoin address is bc1qcwrl3yaj8pqevj5hw3363tycx2x6m4nkaaqd5e.

At this time, the bitcoin address has seen no payments and will likely not in the future, considering the ridiculous $3.6 million bitcoin demand.

Trend Micro states that the emails they have seen are being sent from the darkside@99email[.]xyz and darkside@solpatu[.]space email addresses, with 99email.xyz account being a throwaway email account service.

It is not clear why the wannabe extortionists are only targeting the food and energy sector, but it is believed to be because recent attacks in those industries have been quick to pay a ransom.

After Colonial Pipeline was attacked, they paid a $4.4 million ransom to DarkSide, with the majority of the ransom later recovered by the FBI.

Likewise, meat producer JBS paid $11 million to REvil after a ransomware attack.