The Darkside ransomware group has distinguished itself from its cybercriminal counterparts not by technical innovation, but by slapping a shiny corporate veneer on its attacks. The latest evolution in Darkside’s ransomware-as-a-corporation gimmick is a hefty $20,000 donation that the group made with stolen Bitcoin to two international charitable organizations, The Water Project and Children International, which they then mysteriously announced by a press release.
“Altruism isn’t a common trait in criminal extortion gangs, so it’s difficult to take their motivations at their word,” Chris Clements with Cerberus Sentinel said in a statement about the donations.
The Water Project did not immediately respond to Threatpost’s inquiries. Children’s International told Threatpost that the matter is being investigated.
“We are aware of the situation and are researching it internally,” Lauren Jurgens from Children’s International told Threatpost by email. “If the donation is linked to a hacker, we have no intention of keeping it.”
Darkside announced the deposits on October 13 through one of its corporatized “press releases” posted on a dark web portal, according to BBC, along with tax receipts for the donations for .88 Bitcoin for each group, or $10,000 apiece.
“The most troubling realization here is that the cybercriminals have made so much money through extortion that donating $20,000 is chump change to them,” Clements added.
Darkside has devoted much of its time to trying to carve out a position as an altruistic, digital Robin Hood. The public relations ploy isn’t likely to have much sway with law-enforcement, and public sentiment has little to do with criminal activity.
“As we said in the first press release — we are targeting only large, profitable corporations,” the group wrote. “We think it’s fair that some of the money they’ve paid will go to charity. No matter how bad you think our work is, we are pleased to know that we helped change someone’s life.”
Javvad Malik, security awareness advocate with KnowBe4, told Threatpost that regardless of the messaging, the goal of ransomware crimes remains the same: To drive better outcomes for their breaches and steal more money.
“This [steal from the rich, give to the poor tactic] is not so much a shift in the narrative as a shift in the business model driving these criminal organizations,” he said, adding that bigger corporations give them more of what they want. “The more systems that can be disrupted, the more data that can be stolen, and the more public pressure that can be mounted on organizations — which means a greater likelihood for payout out and greater profit.”
Digital Shadows has been tracking Darkside since it popped up last August, and a recent report pointed out that their tactics follow typical ransomware patterns. The exception is their chosen targets.
Stefano De Blasi with Digital Shadows said in that report that the group tries to differentiate itself by vowing not to attack organizations like schools, hospitals or governments, instead focusing on companies based on revenue.
Darkside uses customized ransomware for each attack and, according to Digital Shadows, combs through company’s financial data to pinpoint what they believe to be an appropriate ransom.
“The ransomware executes a PowerShell command that deletes shadow volume copies on the system. DarkSide then proceeds to terminate various databases, applications, and mail clients to prepare for encryption,” De Blasi wrote.
Personalized ransom notes from Darkside are then issued to the breached company with details on the type of data stolen, as well as how much and a link to their leak site, where the data will be published if ransom demands aren’t met.
Getting the criminal gang’s name in the headlines is one way to help make sure published, stolen data gets the most attention possible, causing the most damage possible to targets.
“Whether or not they’ll succeed in breaking the mold – only time will tell,” De Blasi added. “While the cyber-threat landscape can be unpredictable and volatile, a trend is a trend, and we will continue to monitor the cybercriminal bandwagon closely.”
Most researchers are not impressed by Darkside’s seeming altruism and careful victim selection.
“This latest ‘donation’ effort by ransomware operators is just an attempt to improve their image publicly,” Katie Nickels, director of intelligence at Red Canary, said via email. “When the pandemic first started, we saw ransomware operators claim that they wouldn’t target hospitals — yet we know many of them have. If ransomware operators truly cared about making the world a better place, they would stop ransoming victims, not make donations.”