Researchers at FireEye have been tracking five clusters of threat actors that appear to be affiliates for the Darkside Ransomware group. Darkside works as a Ransomware-as-a-Service (RaaS) and offers variations of their ransomware to vetted threat actors for a percentage of the ransom paid. The group also offers its website as a platform for affiliates to leak sensitive information of companies that do not pay the ransom. The vetted affiliates have to pass an interview before they can gain access to the Darkside platform where they can choose their ransomware build, manage their victims, contact support, and even select what type of information they want to steal from companies to hold for ransom. FireEye has released the details of the five groups, with three of them tracked under designations: UNC2628, UNC2659, and UNC2465. The other two groups have not yet been assigned a designation.
- UNC2628- This group has been active since February and moves quickly from initial infection to ransomware deployment. The group utilizes suspicious authentication attempts, brute-force attacks, and spray-and-pray attacks. Sometimes they will purchase legitimate credentials from other threat actors to begin their infection.
- UNC2659- This cluster has been active since January. They typically will deploy ransom within ten days of infections. This threat actor will exploit CVE-2021-20016 to obtain initial access. This vulnerability has been patched and lies in the SonicWall SMA100 SSL VPN. Some evidence points to the group using the vulnerability to remove Multi-Factor Authentication (MFA) on accounts, but this has not been confirmed.
- UNC2465- Active since April 2019, the group now uses phishing emails to deliver Darkside via the Smokedham .NET backdoor. Initial infection typically happens months before ransomware execution. Smokedham supports the execution of arbitrary .NET commands, keylogging, and screenshot generation. NGROK is used by the threat actors to bypass firewalls and expose remote desktop service ports.