Shining a Light on DARKSIDE Ransomware Operations

This article has been indexed from Threat Research

Update (May 14): Mandiant has observed multiple actors cite a May
13 announcement that appeared to be shared with DARKSIDE RaaS
affiliates by the operators of the service. This announcement stated
that they lost access to their infrastructure, including their blog,
payment, and CDN servers, and would be closing their service.
Decrypters would also be provided for companies who have not paid,
possibly to their affiliates to distribute. The post cited law
enforcement pressure and pressure from the United States for this
decision. We have not independently validated these claims and there
is some speculation by other actors that this could be an exit scam.

Background

Since initially surfacing in August 2020, the creators of DARKSIDE
ransomware and their affiliates have launched a global crime spree
affecting organizations in more than 15 countries and multiple
industry verticals. Like many of their peers, these actors conduct
multifaceted extortion where data is both exfiltrated and encrypted in
place, allowing them to demand payment for unlocking and the
non-release of stolen data to exert more pressure on victims.

The origins of these incidents are not monolithic. DARKSIDE
ransomware operates as a ransomware-as-a-service (RaaS) wherein profit
is shared between its owners and partners, or affiliates, who provide
access to organizations and deploy the ransomware. Mandiant currently
tracks multiple threat clusters that have deployed this ransomware,
which is consistent with multiple affiliates using DARKSIDE. These
clusters demonstrated varying levels of technical sophistication
throughout intrusions. While the threat actors commonly relied on
commercially available and legitimate tools to facilitate various
stages of their operations, at least one of the threat clusters also
employed a now patched zero-day vulnerability.

Reporting on DARKSIDE has been available in advance of this blog
post to users of Mandiant
Advantage Free
, a no-cost version of our threat intelligence platform.

Targeting

Mandiant has identified multiple DARKSIDE victims through our
incident response engagements and from reports on the DARKSIDE blog.
Most of the victim organizations were based in the United States and
span across multiple sectors, including financial s

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

Read the original article: Shining a Light on DARKSIDE Ransomware Operations