Ransomware response firm Coveware has placed the Iranian Hacking Group DarkSide on an internal restricted list after the gang announced plans to host infrastructure in Iran. When DarkSide hackers encrypt a network, their affiliates steal some unencrypted files, threatening to release if ransom demands are not met. This double-extortion strategy has grown in popularity, as we have covered in the past.
DarkSide Plans to Host Infrastructure in Iran
To prevent their leak site from being taken down, DarkSide announced in November of 2020 that they are building a sustainable storage system in Iran and other “unrecognized republics.” The reason being, if one server is taken down, the data will remain and be available on other servers. In October of 2020, the US Treasury Department’s Office of Foreign Assets Control issued an advisory warning to ransomware negotiators and American businesses that paying ransoms may lead to sanction violations and fines.
Previous examples of sanctioned hackers and hacking groups the advisory mentioned include: the developer of Cryptolocker ransomware, Evgeniy Mikhailovich Bogachev; two Iranians that provided material support to SamSam ransomware in November 2018; Lazarus Group; and two sub-groups, Bluenoroff and Andariel, as well as Evil Corp and its leader, Maksim Yakubets.
In addition to sanctions against these cybercrime gangs, the US government already has existing sanctions against Iran. Since ransom payments to DarkSide could be used to pay Iranian hosting providers for this new and expanded data leak system, Coveware has added DarkSide ransomware to an internal restricted list and will no longer be facilitating ransom payments for clients with them.