Security News > 2020 > November > DarkSide ransomware's Iranian hosting raises U.S. sanction concerns
Ransomware negotiation firm Coveware has placed the DarkSide operation on an internal restricted list after the threat actors announced plans to host infrastructure in Iran.
When the DarkSide ransomware operation encrypts a network, their affiliates steal unencrypted files, which they threaten to release if a ransom is not paid.
In October, the U.S. Treasury Department's Office of Foreign Assets Control issued an advisory that warned ransomware negotiators and U.S. businesses that paying ransom could lead to sanction violations and fines.
As ransom payments to DarkSide could be used to pay Iranian hosting providers for this new data leak system, Coveware has placed DarkSide ransomware on an internal restricted list and will no longer facilitate ransom payments with them.
"DarkSide's own TOR site announces the intent to use infrastructure hosted within Iran, a sanctioned nexus. The purpose of this infrastructure is to store data stolen from victims of ransom attacks. It is probable that a portion of the proceeds from any prospective ransom payment to DarkSide would be used to pay services providers within Iran. Accordingly, we have placed DarkSide on our restricted list," Coveware CEO Bill Siegel told BleepingComputer.