Latest Threat Research: LetMeowIn – Analysis of a Credential Dumper

Get Informed


Researchers Are Tracking Five Darkside Ransomware Affiliates

Researchers at FireEye have been tracking five clusters of threat actors that appear to be affiliates for the Darkside Ransomware group. Darkside works as a Ransomware-as-a-Service (RaaS) and offers variations of their ransomware to vetted threat actors for a percentage of the ransom paid. The group also offers its website as a platform for affiliates to leak sensitive information of companies that do not pay the ransom. The vetted affiliates have to pass an interview before they can gain access to the Darkside platform where they can choose their ransomware build, manage their victims, contact support, and even select what type of information they want to steal from companies to hold for ransom. FireEye has released the details of the five groups, with three of them tracked under designations: UNC2628, UNC2659, and UNC2465. The other two groups have not yet been assigned a designation.

  • UNC2628- This group has been active since February and moves quickly from initial infection to ransomware deployment. The group utilizes suspicious authentication attempts, brute-force attacks, and spray-and-pray attacks. Sometimes they will purchase legitimate credentials from other threat actors to begin their infection.
  • UNC2659- This cluster has been active since January. They typically will deploy ransom within ten days of infections. This threat actor will exploit CVE-2021-20016 to obtain initial access. This vulnerability has been patched and lies in the SonicWall SMA100 SSL VPN. Some evidence points to the group using the vulnerability to remove Multi-Factor Authentication (MFA) on accounts, but this has not been confirmed.
  • UNC2465- Active since April 2019, the group now uses phishing emails to deliver Darkside via the Smokedham .NET backdoor. Initial infection typically happens months before ransomware execution. Smokedham supports the execution of arbitrary .NET commands, keylogging, and screenshot generation. NGROK is used by the threat actors to bypass firewalls and expose remote desktop service ports.

Analyst Notes

Since Darkside is a RaaS, defense requires preparing for the tactics of all the affiliate groups that deploy it, not just one threat group. Not knowing which cluster could be attacking a company means many different security measures should be in place. These include ensuring that MFA is enabled for all accounts through a trusted third-party app and not SMS. Training all employees on how to spot phishing emails prevents employees from clicking anything within emails that are sent to them. Keeping all systems up to date can prevent threat actors from using older vulnerabilities to compromise them. All of these defenses should be in place for any organization, no matter what cyber-attack they are trying to protect themselves from. Along with these defense suggestions, companies should also utilize services such as Binary Defense’s Counterintelligence team which monitors for leaked information and alerts companies and employees to exposed emails and passwords limiting the effect threat actors can have when purchasing credentials. Binary Defense’s Security Operations Task Force monitors clients’ workstations and servers 24/7 to detect attacks based on possible attacker behaviors and prevents intrusions in the early stages to keep companies from suffering major damage.