Ransomware Group Makes $20,000 Donation to Charity

Cybercriminal gang Darkside recently donated $20,000 to multiple charities in a Robin Hood-esque effort. That’s likely intended to draw attention to future data dumps, according to experts.

The Darkside ransomware group has distinguished itself from its cybercriminal counterparts “not by technical innovation, but by slapping a shiny corporate veneer on its attacks. The latest evolution in Darkside’s ransomware-as-a-corporation gimmick is a hefty $20,000 donation that the group made with stolen Bitcoin to two international charitable organizations, The Water Project and Children International, which they then mysteriously announced by a press release.” Chris Clements with Cerberus Sentinel stated that “Altruism isn’t a common trait in criminal extortion gangs, so it’s difficult to take their motivations at their word.”

Although The Water Project did not immediately respond to Threatpost’s inquiries, Children’s International told Threatpost that the matter is currently under investigation. Lauren Jurgens of Children’s International told Threatpost that the charity does not intend to keep the donation if it is linked to a hacker. Darkside “announced the deposits on October 13 through one of its corporatized ‘press releases’ posted on a dark web portal, according to BBC, along with tax receipts for the donations for “88 Bitcoin for each group, or $10,000 apiece.”

When it comes to Darkside’s branding effort, it seems the group has devoted time to cultivate an image as an altruistic, digital Robin Hood. Darkside has stated “as we said in the first press release — we are targeting only large, profitable corporations...We think it’s fair that some of the money they’ve paid will go to charity. No matter how bad you think our work is, we are pleased to know that we helped change someone’s life.” Despite Darkside’s generous donation and altruistic goals, as opposed to most hackers, this will most likely not provide them any leniency from law enforcement itself.

Security awareness advocate with KnowBe4, Javvad Malik exemplified this sentiment in a recent statement. Malik emphasized that regardless of the motivation behind the message, the goal of all ransomware crimes remains the same: “To drive better outcomes for their breaches and steal more money. This [steal from the rich, give to the poor tactic] is not so much a shift in the narrative as a shift in the business model driving these criminal organizations. The more systems that can be disrupted, the more data that can be stolen, and the more public pressure that can be mounted on organizations — which means a greater likelihood for payout out and greater profit.”

Digital Shadows has been tracking Darkside ever since it popped up back in this past August, and a recent cybersecurity report signified that the typical tactics of the group tend to follow typical ransomware patterns. The exception, then, is their chosen targets. Stefano De Blasi of Digital Shadows said in that same report that the group “tries to differentiate itself by vowing not to attack organizations like schools, hospitals or governments, instead focusing on companies based on revenue. Darkside uses customized ransomware for each attack and, according to Digital Shadows, combs through company’s financial data to pinpoint what they believe to be an appropriate ransom. The ransomware executes a PowerShell command that deletes shadow volume copies on the system. DarkSide then proceeds to terminate various databases, applications, and mail clients to prepare for encryption.”

Personalized and custom ransom messages from Darkside are then sent to the breached company with specific details on the type of data that was stolen, as well as a ransom price, and a link to their leak site, where the data will be published if financial demands are not met. De Blasi added that regardless of whether or not “[Darkside] will succeed in breaking the mold – only time will tell. While the cyber-threat landscape can be unpredictable and volatile, a trend is a trend, and we will continue to monitor the cybercriminal bandwagon closely.”

Most researchers are far from impressed by Darkside’s altruistic endeavors and calculated targeting of larger, revenue-based corporations. Director of intelligence at Red Canary, Katie Nickels called the latest donation effort “an attempt to improve their image publicly. When the pandemic first started, we saw ransomware operators claim that they wouldn’t target hospitals — yet we know many of them have. If ransomware operators truly cared about making the world a better place, they would stop ransoming victims, not make donations.”

Although the group has made significant monetary donations to charities in a Robin Hood-like fashion, cybersecurity experts and law enforcement alike have maintained that as the nature of their actions is that of a cybercriminal organization, the group’s activities and ransomware threats will be reprimanded regardless of their continued altruism.