Several companies in the energy and food industries have recently received threatening emails supposedly from DarkSide. In this email, the threat actor claims that they have successfully hacked the target’s network and gained access to sensitive information, which will be disclosed publicly if a ransom of 100 Bitcoins (BTC) is not paid. However, the content of the email leads researchers to believe that they did not come from DarkSide, but from an opportunistic low-level attacker trying to profit off the current situation and public awareness around DarkSide ransomware. The behavior behind this fraud campaign is very different from what DarkSide exhibited in its previous campaigns. DarkSide has always been able to show proof that they obtained stolen sensitive data. They also lead their targets to a website hosted on the Tor network. However, in this campaign, the email does not mention anything about proving that they have obtained confidential or sensitive information. Most likely, the people sending these email messages haven’t hacked into the targeted companies’ networks at all.
If contacted by a threat actor with an extortion attempt, claiming to have exfiltrated your business’ confidential or sensitive data, don’t immediately assume that their claims are true. Threat actors who have actually stolen files usually provide proof that they have data by sending screenshots or copies of files. Be very careful opening files that are offered as proof because those could be used to deliver malware – the files should only be opened on a sandboxed test system, not a production computer on the corporate network. There may be more activity like this in the future, trying to profit from the reputation of ransomware gangs that have been exfiltrating data.