{"id":18210,"date":"2021-04-16T16:12:55","date_gmt":"2021-04-16T12:12:55","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/darkside-ransomware-industry\/18210\/"},"modified":"2021-04-16T16:13:32","modified_gmt":"2021-04-16T12:13:32","slug":"darkside-ransomware-industry","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/darkside-ransomware-industry\/18210\/","title":{"rendered":"Five signs ransomware is becoming an industry"},"content":{"rendered":"

Not content with its innovative victim-pressuring tactics<\/a>, the DarkSide ransomware gang has forged ahead with DarkSide Leaks, a professional-looking website that could well be that of an online service provider, and is using traditional marketing techniques. What follows are the five most illustrative examples of one gang\u2019s transformation from an underground criminal group to an enterprise.<\/p>\n

1. Media contacts<\/h2>\n

Legitimate companies always provide some sort of press center or media zone. The DarkSide cybercriminals have followed suit, publishing news about upcoming leaks and letting journalists ask questions in their press center.<\/p>\n

\"DarkSide<\/a><\/p>\n

At least, that\u2019s what they say. In reality, DarkSide\u2019s aim is to generate as much online buzz as possible. More media attention could lead to more widespread fear of DarkSide, potentially meaning a greater chance the next victim will decide just to pay instead of causing trouble.<\/p>\n

2. Decryption company partnerships<\/h2>\n

DarkSide\u2019s extortionists are seeking partners among companies that provide legitimate data decryption services. The ostensible reason is that some victims do not have their own infosec departments and have to rely on outside experts to decrypt their data. DarkSide offers such experts technical support and discounts linked to the amount of work they do.<\/p>\n

\"Partner<\/a><\/p>\n

The subterfuge should be obvious, here. The crooks aren\u2019t looking out for victims who can\u2019t decrypt the data; they\u2019re looking for big money. State-owned companies may be prohibited from negotiating with extortionists, but they\u2019re free to work with companies that provide decryption services. The latter act as a kind of intermediary in this case, pretending to restore data but in fact simply paying the crooks and pocketing the change. That may be legal, but it smacks strongly of criminal collusion.<\/p>\n

3. Charitable donations<\/h2>\n

The extortionists have been donating to charity, and they post about their donations on DarkSide Leaks. Why bother? Apparently, to persuade those reluctant to pay ransom that some of the money will go to a good cause.<\/p>\n

\"Charity\"<\/a><\/p>\n

Here, we actually have another catch, in that some countries, including the US, prohibit charitable organizations from taking money<\/a> obtained illegally. In other words, such payments would never actually reach them.<\/p>\n

4. Business analytics<\/h2>\n

Originally, nobody but criminals and some infosec experts tended to see the stolen information ransomware operators posted, typically on hacker forums. Now, some cybercriminals have added data and market analysis, and they look for leverage in company contacts, clients, partners, and competitors before leaking stolen information. They can then send links to stolen files directly to interested parties. The main goal, again<\/a>, is to inflict maximum damage on the target so as to encourage payment and intimidate future victims.<\/p>\n

\"Letter<\/a><\/p>\n

5. Declaration of moral principles<\/h2>\n

DarkSide Leaks contains an ethical principles declaration \u2014 just like the ones real corporations post on their websites. Here, cybercriminals make claims, for example saying they\u2019d never attack medical companies, funeral parlors, educational institutions, or nonprofit or government organizations. In this case, we are not sure what the goal of this declaration might be. Is the victim supposed to think, \u201cThese people care, so I\u2019ll definitely pay them\u201d?<\/p>\n

\"An<\/a><\/p>\n

A recent incident involving schoolkids\u2019 data<\/a> reveals the lie. Technically, that target wasn\u2019t an educational institution, but it was the school\u2019s data that the crooks threatened to publish.<\/p>\n

What to do<\/h2>\n

Cybercriminals clearly have the resources to invest in market analysis, professional collaborations, and charity. The way to defeat them is to cut off their sources of income. That means:<\/p>\n