{ "id": "d0a91902-a464-4c41-9e22-704e7e0cb685", "created_at": "2026-04-06T00:14:35.7487Z", "updated_at": "2026-04-10T03:23:51.56052Z", "deleted_at": null, "sha1_hash": "98bf2933128dd4bf233f475a35d742f7d039fb33", "title": "Five signs ransomware is becoming an industry", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 425416, "plain_text": "Five signs ransomware is becoming an industry\r\nBy Roman Dedenok\r\nPublished: 2021-04-16 · Archived: 2026-04-05 21:04:04 UTC\r\nNot content with its innovative victim-pressuring tactics, the DarkSide ransomware gang has forged ahead with\r\nDarkSide Leaks, a professional-looking website that could well be that of an online service provider, and is using\r\ntraditional marketing techniques. What follows are the five most illustrative examples of one gang’s\r\ntransformation from an underground criminal group to an enterprise.\r\n1. Media contacts\r\nLegitimate companies always provide some sort of press center or media zone. The DarkSide cybercriminals have\r\nfollowed suit, publishing news about upcoming leaks and letting journalists ask questions in their press center.\r\nAt least, that’s what they say. In reality, DarkSide’s aim is to generate as much online buzz as possible. More\r\nmedia attention could lead to more widespread fear of DarkSide, potentially meaning a greater chance the next\r\nvictim will decide just to pay instead of causing trouble.\r\n2. Decryption company partnerships\r\nDarkSide’s extortionists are seeking partners among companies that provide legitimate data decryption services.\r\nThe ostensible reason is that some victims do not have their own infosec departments and have to rely on outside\r\nexperts to decrypt their data. DarkSide offers such experts technical support and discounts linked to the amount of\r\nwork they do.\r\nhttps://www.kaspersky.com/blog/darkside-ransomware-industry/39377/\r\nPage 1 of 4\n\nThe subterfuge should be obvious, here. The crooks aren’t looking out for victims who can’t decrypt the data;\r\nthey’re looking for big money. State-owned companies may be prohibited from negotiating with extortionists, but\r\nthey’re free to work with companies that provide decryption services. The latter act as a kind of intermediary in\r\nthis case, pretending to restore data but in fact simply paying the crooks and pocketing the change. That may be\r\nlegal, but it smacks strongly of criminal collusion.\r\n3. Charitable donations\r\nThe extortionists have been donating to charity, and they post about their donations on DarkSide Leaks. Why\r\nbother? Apparently, to persuade those reluctant to pay ransom that some of the money will go to a good cause.\r\nhttps://www.kaspersky.com/blog/darkside-ransomware-industry/39377/\r\nPage 2 of 4\n\nHere, we actually have another catch, in that some countries, including the US, prohibit charitable organizations\r\nfrom taking money obtained illegally. In other words, such payments would never actually reach them.\r\n4. Business analytics\r\nOriginally, nobody but criminals and some infosec experts tended to see the stolen information ransomware\r\noperators posted, typically on hacker forums. Now, some cybercriminals have added data and market analysis, and\r\nthey look for leverage in company contacts, clients, partners, and competitors before leaking stolen information.\r\nThey can then send links to stolen files directly to interested parties. The main goal, again, is to inflict maximum\r\ndamage on the target so as to encourage payment and intimidate future victims.\r\n5. Declaration of moral principles\r\nDarkSide Leaks contains an ethical principles declaration — just like the ones real corporations post on their\r\nwebsites. Here, cybercriminals make claims, for example saying they’d never attack medical companies, funeral\r\nparlors, educational institutions, or nonprofit or government organizations. In this case, we are not sure what the\r\ngoal of this declaration might be. Is the victim supposed to think, “These people care, so I’ll definitely pay them”?\r\nA recent incident involving schoolkids’ data reveals the lie. Technically, that target wasn’t an educational\r\ninstitution, but it was the school’s data that the crooks threatened to publish.\r\nWhat to do\r\nCybercriminals clearly have the resources to invest in market analysis, professional collaborations, and charity.\r\nThe way to defeat them is to cut off their sources of income. That means:\r\nhttps://www.kaspersky.com/blog/darkside-ransomware-industry/39377/\r\nPage 3 of 4\n\nDon’t pay ransom. It’s a bold move that may have consequences, but not paying is the right option. See\r\nEugene Kaspersky’s recent post about why you should never give in;\r\nInstall a reliable security solution on all connected devices to cut off any ransomware schemes before they\r\nbegin.\r\nSource: https://www.kaspersky.com/blog/darkside-ransomware-industry/39377/\r\nhttps://www.kaspersky.com/blog/darkside-ransomware-industry/39377/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.kaspersky.com/blog/darkside-ransomware-industry/39377/" ], "report_names": [ "39377" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434475, "ts_updated_at": 1775791431, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/98bf2933128dd4bf233f475a35d742f7d039fb33.pdf", "text": "https://archive.orkl.eu/98bf2933128dd4bf233f475a35d742f7d039fb33.txt", "img": "https://archive.orkl.eu/98bf2933128dd4bf233f475a35d742f7d039fb33.jpg" } }