CompuCom told customers it suffered a DarkSide ransomware attack after the hackers acquired administrative credentials for the Office Depot subsidiary, according to BleepingComputer.

The ransomware group started by installing Cobalt Strike beacons on several systems in the ecosystem of Dallas-based CompuCom. That’s according to a ‘Customer FAQ Regarding Malware Incident’ document shared with BleepingComputer on March 4. Hackers use Cobalt Strike to proactively test victim’s defences against advanced tactics and procedures.

The Cobalt Strike beacons give remote adversaries access to the network to steal data and spread to other machines, according to BleepingComputer. Then BleepingComputer said the hackers were able to achieve their objective of deploying the ransomware. CompuCom first suffered an outage over the weekend of February 27/28 that blocked customers from opening troubleshooting tickets in the company portal.

“Based on our expert’s analysis to date, we understand that the attacker deployed a persistent Cobalt Strike backdoor to several systems in the environment and acquired administrative credentials,” the CompuCom FAQ reads, according to BleepingComputer. “These administrative credentials were then used to deploy the Darkside Ransomware.” CompuCom hasn’t responded to CRN requests for comment.

It is likely that the DarkSide ransomware operators harvested CompuCom’s unencrypted files before encrypting the devices, according to BleepingComputer. If CompuCom or CompuCom customer data was stolen and a ransom is not paid, the DarkSide group will likely publish this data on their ransomware leak site in the next few weeks, BleepingComputer reported.

With its latest admission, CompuCom becomes the fifth solution provider behemoth to suffer a ransomware attack in the past year, following in the footsteps of Cognizant, Conduent, DXC Technology and Tyler Technologies. The five channel titans that have been hit with ransomware have combined revenue of $42.78 billion and a joint market cap of $54.36 billion.

CompuCom admitted late on March 3 that a malware attack has been affecting some of the services the large national systems integrator provides to customers, adding that it’s in the process of restoring customer services and internal operations. But CompuCom didn’t respond to CRN questions about whether it was a ransomware attack, even that multiple people had told BleepingComputer it was.

CompuCom reportedly disconnected their access to some customers to stop the malware from spreading, according to BleepingComputer. One customer told BleepingComputer they had detached from CompuCom’s Virtual Desktop Infrastructure (VDI) to ensure their data wasn’t affected by the attack.

DarkSide can encrypt both Windows and Linux systems, according to Brett Callow, a threat analyst with Emsisoft. The New Zealand-based anti-malware vendor has a decryptor for DarkSide that doesn’t avoid the need for a ransom demand to be paid, but does enable victims to reduce their recovery time by up to 70% as compared with the tools offered by the criminals, Callow told CRN.

DarkSide was launched on Aug. 10, 2020, with the operators pledging not to attack hospitals, schools, nonprofits or government targets, Wired reported in August 2020. The ransomware group also claimed at launch that it’d only attack businesses who can afford to pay a ransom, according to Wired. “Before any attack, we carefully analyze your accountancy and determine how much you can pay based on your net income,” DarkSide wrote in its Aug. 10, 2020, press release.

Then in October, the operators behind DarkSide made the puzzling decision to donate $10,000 in Bitcoin from ransom proceeds to charities Children International and The Water Project, BBC News reported at the time. A Children International spokesperson told BBC at the time it wouldn’t be keeping the money since the donation was linked to a hacker.

Source: CRN