Researchers Described Five DarkSide Affiliates

Researchers Described Five DarkSide Affiliates

Customers of the RaaS can deploy malware as they see fit and dictate the content of leaks.

FireEye researchers have conducted an investigation into cyber activity linked to DarkSide ransomware and described five separate operators suspected of being DarkSide affiliates. 

The DarkSide gang runs a Ransomware-as-a-Service (RaaS) operation responsible for the attack on Colonial Pipeline that took place last week. 

Colonial Pipeline is one of the largest pipelines in the United States pumping fuel for 45% of the US East Coast. In a ransomware attack last week the pipeline has been shut which resulted in fuel shortages. The service still hasn’t been restored proving to be a serious case. Since the attack hit a critical infrastructure asset the FBI has been involved in investigating the incident. 

FireEye has identified five operators who are either current or past DarkSide RaaS affiliates. Also called subscribers, such affiliates rent access to malware – in this case, the DarkSide ransomware. They can use malware as they see fit, but in return pay its developers a slice of any ransom profits. 

FireEye describes the process of becoming one of the DarkSide affiliates. Those willing to join the group have to pass a pre-screening interview. Upon successful completion and payment, subscribers are provided with a control panel for selecting their ransomware build, managing their victims, and even support.

Out of the five threat actors, FireEye has described the current activities of three, UNC2628, UNC2659, and UNC2465. 

According to FireEye, UNC2628 has been active since February employing suspicious authentication attempts, brute force attacks, and ‘spray and pray’ tactics.

UNC2659, active since January this year, exploits CVE-2021-20016, a now-patched vulnerability in the SonicWall SMA100 SSL VPN, to obtain initial access. This actor uses TeamViewer to maintain persistence on a compromised machine. 

UNC2465 dates back to at least April 2019 and uses phishing emails to deliver DarkSide via the Smokedham .NET backdoor. The actor has also been observed using NGROK utility to circumvent firewalls and expose remote desktop ports. 

“We believe that threat actors have become more proficient at conducting multifaceted extortion operations and that this success has directly contributed to the rapid increase in the number of high-impact ransomware incidents over the past few years,” FireEye concluded. “We expect that the extortion tactics that threat actors use to pressure victims will continue to evolve throughout 2021.”


About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.