New ransomware group claims to have hit Canadian corporate giant

Howard Solomon

4 years ago

A new ransomware group says a Toronto-based billion-dollar company is allegedly one of its first victims of a new ransomware group calling itself DarkSide. The new group is demanding payment or threatening to release the copied corporate files publically.

IT World Canada isn’t identifying the publicly-traded company until the data breach is confirmed, but according to a posting today on the group’s dark web site some 200 GB of information including employee files, finance and payroll records and business plans were copied before encryption.

“If you need proof we are ready to provide you with it,” the gang says on the site. “The data is preloaded and will be automatically published if you do not pay. After publication your data will be available [to others] for at least six months on our tor cdn servers.”

Darkside revealed itself on the web 10 days ago, stating “We are a new product on the market, but that does not mean that we have no experience and we came from nowhere. We received millions of dollars in profit by partnering with other well-known cryptolockers. We created DarkSide because we didn’t find the perfect product for us. Now we have it.”

The gang appears to be another threat actor that has quickly taken advantage of the recent trend of combining ransomware with data theft. Defenders were often successful at fending off ransomware demands if they had good backups. But armed with what they hope will be sensitive data, ransomware gangs are increasing the pressure on victims by threatening to release files to the public — which would embarrass the company and damage its reputation — or to other criminals.

The DarkSide website says, “Based on our principles we will not attack the following targets: Medicine, education, non-profit organizations, government. We only attack targets that can pay the requested amount, we do not want to kill your business. Before any attack, we analyze your accountancy and determine how much you can pay based on your net income. You can ask all your questions in the chat before paying and our support team will answer them.”

According to the news site Bleeping Computer, Darkside has sent ransom notes to victims between $200,00 and $2 million.

“The big game hunters are successfully hunting ever bigger game,” commented Brett Callow, a British-Columbia based threat analysts for Emsisoft. “As a result, ransom demands are increasing, the criminals’ revenues are increasing and, consequently, they have more to invest in ramping up their operations in terms of both scale and sophistication. In other words, we have a vicious circle in which the criminals keep on becoming better resourced and able to attack more companies, more effectively.

“Companies in the financial sector make for particularly attractive targets as, due to the sensitivity of the information they hold, actors probably perceive them to be among the most likely to pay to prevent their clients’ data leaking onto the dark web or being publicly auctioned.

“Companies in this situation are without good option. Even if a company chooses to pay the ransom, all it will receive is a pinky promise from a bad faith actor that the stolen data will be destroyed. Whether the groups do ever delete is something only they know, but I suspect they do not. Why would they?”