Newly discovered function in #DarkSide #ransomware variant targets disk partitions - At the time of discovery, FortiGuard Labs researchers believed the ransomware was seeking out partitions to find possible hidden partitions setup by systems administrators to hide backup files. But further analysis confirmed an even more advanced technique. This DarkSide variant seeks out partitions on a multi-boot system to find additional files to encrypt, thereby causing greater damage.
DarkSide ransomware code is efficient and well-constructed, indicating that their cybercriminal organization includes experienced software engineers
This ransomware variant (NOT the version used to disrupt Colonial Pipeline operations) is advanced in nature and was observed to seek out partitions in a multi-boot environment to create further damage. It also seeks out the domain controller and connects to its active directory via LDAP anonymous authentication.
Additional insight on the files used by, and associated with, DarkSide was uncovered by the FortiGuard Incident Response team during recent engagements.
The use of a well-known bulletproof host that has been used by a wide variety of malicious actors for numerous nefarious activities over the years, including the 2016 DNC elections attack in the United States.
