Imitation Darkside Ransomware gang targets Energy and Food Industries with Exploitation Emails

You are currently viewing Imitation Darkside Ransomware gang targets Energy and Food Industries with Exploitation Emails

It is said that imitation is the sincerest form of flattery, but it is doubtful that the newly-retired operators behind the Darkside Ransomware attacks feel the admiration in a new series of exploitation emails sent by a group of individuals pretending to be the notorious gang. Darkside Ransomware and the gang behind the strain were slingshotted into the public eye in recent weeks when a “routine” Ransomware attack got out of hand and brought the Colonial Pipeline offline, strangling the fuel supply on the East Coast for several days.

The Darkside ransomware operation launched in August 2020, targeting corporate networks and demanding millions of dollars for a decryptor and a promise not to release stolen data.

After hitting Colonial Pipeline, the largest fuel pipeline in the US, the ransomware gang was thrust into the spotlight. The US government and law enforcement shifted their focus to the group.

This increased scrutiny by enforcement led to DarkSide suddenly shutting down its operation in May out of fear of being arrested.

Since then, there has been no activity reported from the Darkside Ransomware gang or its affiliates.

In a new report by Trend Micro and further analyzed by BleepingComputer, it was revealed that there is currently a new extortion campaign ongoing, carried out by threat actors posing as the Darkside Ransomware gang.

“Several companies in the energy and food industry have recently received threatening emails supposedly from DarkSide,” explains Trend Micro researcher Cedric Pernet.

“In this email, the threat actor claims that they have successfully hacked the target’s network and gained access to sensitive information, which will be disclosed publicly if a ransom of 100 bitcoins (BTC) is not paid.”

The attacks have been entirely against the energy and food sectors.

Darkside Ransomware
Industries Targeted in the Fake Campaign

This new extortion campaign consists of emails sent to companies or through their website contact forms that state the ransomware gang hacked the company’s servers and stole data during the attack. The email says that the company must pay 100 bitcoins to an enclosed bitcoin address, or threat actors will publicly release the documents.

The extortion strategy consists of emails send to companies through their website contact forms, claiming that the Darkside Ransomware gang has breached the company’s servers and stole data. The ransom price is always 100 bitcoins, which must be sent to an enclosed bitcoin address, or the hackers will released the documents to the public.

The message in full is as follows:

Hi, this is DarkSide.

It took us a lot of time to hack your servers and access all your accounting reporting. Also, we got access to many financial documents and other data that can greatly affect your reputation if we publish them.
It was difficult, but luck was helped by us – one of your employees is extremely unqualified in network security issues. You could hear about us from the press – recently we held a successful attack on the Colonial Pipeline.

For non-disclosure of your confidential information, we require not so much – 100 bitcoins. Think about it, these documents may be interested not only by ordinary people, but also the tax service and other organizations, if they are in open access … We are not going to wait long – you have several days.

Our bitcoin wallet – bc1qcwrl3yaj8pqevj5hw3363tycx2x6m4nkaaqd5e

According to TrendMicro, the bitcoin wallet address is always the same. Researchers at BleepingComputer have been monitoring the wallet and have confirm that no money has been sent to or from it.

Considering 100 bitcoins is roughly $3.6 Million dollars, it is unlikely the wallet will see any activity.

It is unknown how the individuals behind this hope to achieve their aims. Of all gangs to impersonate, one that publicly retired is probably not the best choice. Moreover, it is not in their best interests to pretend to be a group watched so closely by global authorities.

Darkside Ransomware Analysis


This analysis of Darkside was carried out largely by researchers at Cybereason. It completed before the gang retired.

Like many other ransomware variants, DarkSide follows the double extortion trend, which means the threat actors not only encrypt the user’s data, but first exfiltrate the data and threaten to make it public if the ransom demand is not paid. This technique effectively renders the strategy of backing up data as a precaution against a ransomware attack moot.

DarkSide is observed being used against targets in English-speaking countries, and appears to avoid targets in countries associated with former Soviet Bloc nations. The ransom demand ranges between US$200,000 to $2,000,000, and according to their website, the group has published stolen data from more than 40 victims, which is estimated to be just a fraction of the overall number of victims.

Unlike many ransomware variants such as Maze, which was employed to successfully attack suburban Washington schools, the group behind DarkSide appears to have a code of conduct that prohibits attacks against hospitals, hospices, schools, universities, non-profit organizations, and government agencies

Darkside Ransomware
Rules for those purchasing Darkside Ransomware

After gaining an initial foothold in the network, the attackers start to collect information about the environment and the company. If it turns out that the potential target is on the attacker’s list of prohibited organizations to attack (ie: hospitals, hospices, schools, universities, non-profit organizations, or government agencies), they don’t move forward with the attack.

If not on the prohibited list, the attackers continue to carry out the operation. The attackers begins to collect files, credentials and other sensitive information, and exfilitrate it. Following this, the attackers use PowerShell to download the DarkSide binary as “update.exe” using the “DownloadFile” command, abusing Certutil.exe and Bitsadmin.exe in the process.

In addition to downloading the DarkSide binary into the C:\Windows and temporary directories, the attacker also creates a shared folder on the infected machine and uses PowerShell to download a copy of the malware there.

After successfully gaining a foothold on one machine in the environment, the attacker begins to move laterally in the environment, with the main goal of conquering the Domain Controller (DC).

Once the attackers make it to the DC, they start to collect other sensitive information and files, including dumping the SAM hive that stores targets’ passwords

In addition to collecting data from the DC, the attackers use PowerShell to download the DarkSide binary from the shared folder created on the previously infected host.

When the DarkSide ransomware first executes on the infected host, it checks the language on the system, using GetSystemDefaultUILanguage() and GetUserDefaultLangID() functions to avoid systems located in the former Soviet Bloc countries from being encrypted.

Darkside Ransomware
Darkside Ransomware checking if the installed language is Russian

DarkSide then proceeds to stop the all services related to security and backup solutions. It then creates a connection to its C2 (command and control) server. After uninstalling the Volume Shadow Copy Service (VSS), DarkSide then deletes the shadow copies by launching an obfuscated PowerShell script that uses WMI to delete them.

The malware then enumerates the running processes and terminates different processes to unlock their files so it can both steal related information stored in the files and encrypt them.

DarkSide creates a unique User_ID string for the victim, and adds it to the encrypted files extension as follows:
<File_name>.{userid}. In addition, the malware also changes the icons for the encrypted files and changes the background of the desktop to all black, with the text “All your files have been encrypted!”

Finally, it leaves the Ransomware note:

Darkside Ransomware


While Darkside as an organisation may have intentions that some would consider ‘harmless’, it is very clear that their ransomware product is unchecked and can be used on anybody. It is critical that business owners have the right tools to keep their company’s safe in the face of ever-evolving cyberthreats like Darkside Ransomware.

SaferNet is the perfect solution to the cybersecurity issues that individuals, families, and businesses face today. It not only connects every device using a secure, 24/7 always on, military grade VPN, but it also stops outside cyberthreats, malware and viruses as well. On SaferNet, all users are protected anywhere in the world, all the time, on any cellular or Wi-Fi network. In addition to SaferNet’s VPN and cyber protection, it also offers a range of employee or parental/family internet controls including internet filtering, monitoring, scheduling, and blocking access to websites or even entire website categories

Typically, a business or family would need 3 separate services for a VPN, Malware Protection, and Internet Controls; SaferNet offers all 3 features in one service. SaferNet truly is an endpoint security presence that can be implemented in minutes around the world, on phones, laptops, tablets, and computers at an economical price point that caters to all sizes of businesses and families. SaferNet guarantees a smooth setup and installation process that takes only minutes, and an easily accessible control hub for you to monitor all your employee’s or family members devices; including activity, time spent online, and threats blocked.

Leave a Reply