This article has been indexed from Threat Research
Since initially surfacing in August 2020, the creators of DARKSIDE
ransomware and their affiliates have launched a global crime spree
affecting organizations in more than 15 countries and multiple
industry verticals. Like many of their peers, these actors conduct
multifaceted extortion where data is both exfiltrated and encrypted in
place, allowing them to demand payment for unlocking and the
non-release of stolen data to exert more pressure on victims.
The origins of these incidents are not monolithic. DARKSIDE
ransomware operates as a ransomware-as-a-service (RaaS) wherein profit
is shared between its owners and partners, or affiliates, who provide
access to organizations and deploy the ransomware. Mandiant currently
tracks multiple threat clusters that have deployed this ransomware,
which is consistent with multiple affiliates using DARKSIDE. These
clusters demonstrated varying levels of technical sophistication
throughout intrusions. While the threat actors commonly relied on
commercially available and legitimate tools to facilitate various
stages of their operations, at least one of the threat clusters also
employed a now patched zero-day vulnerability.
Reporting on DARKSIDE has been available in advance of this blog
post to users of Mandiant
Advantage Free, a no-cost version of our threat intelligence platform.
Targeting
Mandiant has identified multiple DARKSIDE victims through our
incident response engagements and from reports on the DARKSIDE blog.
Most of the victim organizations were based in the United States and
span across multiple sectors, including financial services, legal,
manufacturing, professional services, retail, and technology. The
number of publicly named victims on the DARKSIDE blog has increased
overall since August 2020, with the exception of a significant dip in
the number of victims named during January 2021 (Figure 1). It is
plausible that the decline in January was due to threat actors using
DARKSIDE taking a break during the holiday season. The overall growth
in the number of victims demonstrates the increasing use of the
DARKSIDE ransomware by multiple affiliates.
Figure 1: Known DARKSIDE victims (August
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: Shining a Light on DARKSIDE Ransomware Operations