Fake ‘Dark Side’ Gang Targets Global Energy, Food Sectors!

Share This Post

A Dark Side ‘clone’ engaged into a fraud campaign aimed at extorting nearly $4m from each target.

Several organisations in the oil, gas & food sectors have received threatening emails from cyber-criminals posing as Dark Side – the ransomware gang behind the Colonial Pipeline hack.

Fear-Based

According to researchers at Trend Micro, threat players are taking advantage of the notoriety around the pipeline ransomware incident & the Dark Side name, in order to mount a fear-based social-engineering campaign.

The emails warn targets that the group has successfully hacked the recipient’s enterprise network & lifted sensitive information, which will be disclosed publicly if a ransom of 100 Bitcoin (BTC) is not paid. That is roughly $3.8m.

That somewhat equates with the Dark Side playbook of double extortion – however, things are not what they seem, according to Trend Micro.

Low-Level Attacker

“The content used on the emails has led us to believe that they did not come from this threat group, but from an opportunistic low-level attacker trying to profit off the current situation around Dark Side ransomware activities,” researchers commented, in a Thur. blog post.

Dark Side generally offers proof that it has obtained stolen sensitive data, researchers pointed out – but no such assurances are provided in the recent spate of campaigns. Also, even though the fraudsters claim to be a ransomware gang, there is no encryption of any files or other content on the supposed “victim” networks.

Attribution Mistake

Then there’s an obvious attribution mistake: The emails mention Dark Side’s previous attacks that have hit the headlines of late, & include meat-industry giant JBS as a victim. However, that strike was not Dark Side’s handiwork, but was rather attributed to REvil (a.k.a. Sodinokibi).

It is worth noting that Dark Side generally asks for between $200k to $2m according to previous reporting – not the almost $4m requested in the recent emails.

“All in all, this campaign looks amateurish compared to known previous Dark Side activities,” according to Trend Micro. “We believe that most companies will not be urged to pay that amount without being shown any real evidence that the network has been compromised & sensitive data is about to leak in public.”

Email Campaign

Trend Micro observed emails hitting some targets daily, starting June 4. The messages were sent to generic email addresses within the organisations (i.e., addresses such as “support@[companyname].com” or similar). The sender emails are darkside@99email[.]xyz & darkside@solpatu[.]space.

The Bitcoin wallet at the end of the email is always the same for every target, according to the analysis.

The firm also saw that the same attacker also filled out contact forms on several companies’ websites, submitting the same content via web form as what is included in the emails.

“In one case, we were able to get the sender’s IP address, 205[.]185[.]127[.]35, which happens to be a Tor network exit node,” researchers outlined.

Wide Global Net

The campaign cast a wide, global net: It affected Japan the most, followed by a tier of several other countries: Argentina, Australia, Canada, India & the US. The rest of the affected countries include China, Colombia, Mexico, Netherlands, Thailand & the UK.

However, it appears that the Dark Side doppelganger is striking out – likely due to the lack of any encryption & the questionable email details: “As of writing, the  wallets have not received or sent any Bitcoin payment,” researchers observed. “No actual attack has been traced back to the emails, & no new targets have been spotted.

“However, this does not remove the possibility that an attacker with more believable methods could successfully ensnare targets,” analysts warned.

Energy & Food Industries

Based on the telemetry data, it seems the threat player is zeroing in with laser-like focus on the energy & food industries, with all of the targets encompassed in these sectors, researchers noted. The likely thinking behind that is that the stakes are simply higher for these organisations.

“These sectors are expected to provide essential goods and/or services on the daily basis,” according to Trend Micro’s analysis. “The longer the attack remains unthwarted & the companies’ operations subsequently interrupted, the more the affected organisation losses profit & reputation. The shutdown of these services might also cause public uproar & panic, especially when it potentially affects a large number of people.”

Types of Companies

The logic follows that these types of companies will be more likely to give into extortion attempts.

“While the rest of the campaign shows clumsy techniques, it is worth noting that the attacker deliberately selected companies in specific industries for a reason,” according to Trend Micro.

“In the aftermath, an attack’s impact could raise fears about food and/or energy security, triggering panic buying as the public worries about possible spikes in prices that could be caused by the attack.”

Validity of any Threat

The energy & food sectors are among the most-targeted by cyber-criminals of all stripes, including real ransomware gangs, the firm added – however organisations should always verify the validity of any threat before taking any action when faced with a threatening notice.

Virtual Conference June 2021

 

More To Explore

Community Area

Books

Home Workouts

Recipe

spaghetti Bolognese
Days
Hours
Minutes
Seconds