The behavior behind this fraud campaign is very different from what DarkSide exhibited in its previous campaigns. DarkSide has always been able to show proof that they obtained stolen sensitive data. They also lead their targets to a website hosted on the Tor network. However, in this campaign, the email does not mention anything about proving that they have indeed obtained confidential or sensitive information.
Also, like most modern ransomware attacks, DarkSide launched the ransomware to paralyze their target’s operations before demanding ransom. Here, there is no encryption of any content on the target network; the actors just send a threat and a ransom demand based on the assertion that they reportedly have the data.
Perhaps the most telling: The actors behind these threats mentioned JBS as the victim of one of their recent publicized attack; the JBS attack was not attributed to DarkSide, but to REvil (aka Sodinokibi).
All in all, this campaign looks amateurish compared to known previous DarkSide activities. The amount requested from every target, 100 BTC, is worth approximately 4 million US dollars. We believe that most companies will not be urged to pay that amount without being shown any real evidence that the network has been compromised and sensitive data is about to leak in public.
While the rest of the campaign shows clumsy techniques, it is worth noting that the attacker deliberately selected companies in specific industries for a reason. The decision to handpick these targets are probably influenced by the recent ransomware attacks on JBS and Colonial Pipeline, which belong to the same industries.
Besides being affected in these recent attacks, these industries have also been consistently among the most targeted in the past. In 2020, our cybersecurity roundup report found the food and beverage and the oil and gas industries among the top ten industries most targeted by ransomware.
One of the causes for this might be because these sectors are expected to provide essential goods and/or services on the daily basis. The longer the attack remains unthwarted and the companies’ operations subsequently interrupted, the more the affected organization losses profit and reputation. The shutdown of these services might also cause public uproar and panic, especially when it potentially affects a large number of people.
In the aftermath, an attack’s impact could raise fears about food and/or energy security, triggering panic buying as the public worries about possible spikes in prices that could be caused by the attack.
This is one of the reasons why attackers, real and fake alike, would choose to launch campaigns on essential supply providers: their targets are aware of the far-reaching immediate effects an attack could have, affecting not just the company itself, but a slew of consumers as well. Considering this, the targets would be more likely to cave into the ransom demands. In the campaign we spotted, fortunately no one actually paid, probably due to the questionable details in the email. However, this does not remove the possibility that an attacker with more believable methods could successfully ensnare targets.
In the wake of the apprehension brought about by recent ransomware attacks that affected major companies, organizations should always verify the validity of the threats before taking any action. Better yet, organizations could nip these threats from the bud by using security solutions that block spam and other email-based threats.
- 205[.]185[.]127[.]35 (Tor exit node)
Read More HERE