CompuCom Hit By DarkSide Ransomware, Tells Customers: Report

‘Based on our expert’s analysis to date, we understand that the attacker deployed a persistent Cobalt Strike backdoor to several systems in the environment and acquired administrative credentials. These administrative credentials were then used to deploy the Darkside Ransomware,’ CompuCom tells customers.

CompuCom told customers it suffered a DarkSide ransomware attack after the hackers acquired administrative credentials for the Office Depot subsidiary, according to BleepingComputer.

The ransomware group started by installing Cobalt Strike beacons on several systems in the ecosystem of Dallas-based CompuCom, No. 41 on the 2020 CRN Solution Provider 500. That’s according to a ‘Customer FAQ Regarding Malware Incident’ document shared with BleepingComputer Thursday. Hackers use Cobalt Strike to proactively test victim’s defenses against advanced tactics and procedures.

The Cobalt Strike beacons give remote adversaries access to the network to steal data and spread to other machines, according to BleepingComputer. Then on Sunday, BleepingComputer said the hackers were able to achieve their objective of deploying the ransomware. CompuCom first suffered an outage over the weekend that blocked customers from opening troubleshooting tickets in the company portal.

[Related: CompuCom Hit With Malware As MSPs Remain Under Siege]

“Based on our expert’s analysis to date, we understand that the attacker deployed a persistent Cobalt Strike backdoor to several systems in the environment and acquired administrative credentials,” the CompuCom FAQ reads, according to BleepingComputer. “These administrative credentials were then used to deploy the Darkside Ransomware.” CompuCom hasn’t responded to CRN requests for comment.

It is likely that the DarkSide ransomware operators harvested CompuCom’s unencrypted files before encrypting the devices, according to BleepingComputer. If CompuCom or CompuCom customer data was stolen and a ransom is not paid, the DarkSide group will likely publish this data on their ransomware leak site in the next few weeks, BleepingComputer reported.

With its latest admission, CompuCom becomes the fifth solution provider behemoth to suffer a ransomware attack in the past year, following in the footsteps of Cognizant, Conduent, DXC Technology and Tyler Technologies. The five channel titans that have been hit with ransomware have combined revenue of $42.78 billion and a joint market cap of $54.36 billion.

CompuCom admitted late Wednesday that a malware attack has been affecting some of the services the large national systems integrator provides to customers, adding that it’s in the process of restoring customer services and internal operations. But CompuCom didn’t respond to CRN questions about whether it was a ransomware attack, even that multiple people had told BleepingComputer it was.

Starting over the weekend, customers attempting to access CompuCom’s portal would receive a message stating “An error occurred while processing your request. We apologize for the inconvenience. Please re-submit your request,” BleepingComputer said. Soon after the attack, CompuCom began contacting customers to let them know that the company had been compromised by malware.

CompuCom reportedly disconnected their access to some customers to stop the malware from spreading, according to BleepingComputer. One customer told BleepingComputer they had detached from CompuCom’s Virtual Desktop Infrastructure (VDI) to ensure their data wasn’t affected by the attack.

DarkSide can encrypt both Windows and Linux systems, according to Brett Callow, a threat analyst with Emsisoft. The New Zealand-based anti-malware vendor has a decryptor for DarkSide that doesn’t avoid the need for a ransom demand to be paid, but does enable victims to reduce their recovery time by up to 70 percent as compared with the tools offered by the criminals, Callow told CRN.

DarkSide was launched on Aug. 10, 2020, with the operators pledging not to attack hospitals, schools, nonprofits or government targets, Wired reported in August 2020. The ransomware group also claimed at launch that it’d only attack businesses who can afford to pay a ransom, according to Wired.

“Before any attack, we carefully analyze your accountancy and determine how much you can pay based on your net income,” DarkSide wrote in its Aug. 10, 2020, press release.

Then in October, the operators behind DarkSide made the puzzling decision to donate $10,000 in Bitcoin from ransom proceeds to charities Children International and The Water Project, BBC News reported at the time. A Children International spokesperson told BBC at the time it wouldn’t be keeping the money since the donation was linked to a hacker.

“We think that it’s far that some of the money the companies have paid will go to charity,” DarkSide wrote in a Oct. 13 blog post. “No matter how bad you think our work is, we are pleased to know that we helped changed someone’s life. Today, we sended (sic) the first donations.”