The original DarkSide ransomware gang had quit its operation last month after the attack on Colonial Pipeline.
In May 2021, the DarkSide ransomware group targeted Colonial Pipeline, the largest fuel pipeline in the United States. The attack was so severe that it shut down 5,500 miles of pipeline along the East Coast.
As a repercussion, the group had its servers seized and ransom payments recovered by law enforcement authorities. The group then decided to quit its operation thus, that was the end of the DarkSide ransomware group.
Now, the IT security researchers at Trend Mirco have discovered a new scam campaign in which an “opportunistic low-level attacker” is pretending to be the DarkSide ransomware gang and trying to scam large sum of money from companies in the energy and food industry.
According to researchers, the attacker has been sending emails to companies claming to have breached their servers and access sensitive data. The email further demands ransom of a whopping 100 BTC ($4 million – £5,5 million) and threants to leak supposed data if their demands are not met.
However, unlike the DarkSide ransomware group, the attack fails to show any proof of hack or sample data. It is worth noting that the DarkSide used their website to publish proof of hack or leak data.
In a blog post, Trend Micro’s senior threat tesearcher Cedric Pernet explained that:
The behavior behind this fraud campaign is very different from what DarkSide exhibited in its previous campaigns. DarkSide has always been able to show proof that they obtained stolen sensitive data. They also lead their targets to a website hosted on the Tor network. However, in this campaign, the email does not mention anything about proving that they have indeed obtained confidential or sensitive information.
Furthermore, the researchers did not find encryption patren followed by the DarkSide ransomware group which affirms that the attacker is trying to make quick and big bucks by taking advantage of the situation where the original group has disappeard without leaving any trace.
Additionally, a look at the attacker’s email sent to their supposed victims claims responsibility of the ransomware attack on JBS. In reality, the attack was carried out by REvil (aka Sodinokibi).
For your infotmation, JBS is world’s largest meat processing company based in Brazil who suffered a ransomware attack on May 30, 2021. As a result, the company was forced to pay $11m (£7.8m) ransom in Bitcoin to Revil ransomware operators.
If you recieve an email in which someone is claiming to be the DarkSide ransomware gang the best solution is to ignore it.