UNC2659
UNC2659 is a threat cluster tracked by FireEye/Mandiant as a current or former affiliate linked to the DARKSIDE ransomware-as-a-service ecosystem. The cluster has been active since at least January 2021 and typically moved from initial access to ransomware deployment in about 10 days or less. UNC2659 obtained initial access by exploiting the SonicWall SMA100 SSL VPN vulnerability CVE-2021-20016, a vulnerability later patched by SonicWall. FireEye reported some unconfirmed evidence that the group may also have used CVE-2021-20016 to disable multi-factor authentication options on SonicWall VPN devices. Observed UNC2659 tradecraft includes abusing TeamViewer for persistence, downloading tools from legitimate public websites, exfiltrating files before encryption, and using Rclone to exfiltrate hundreds of gigabytes of data to pCloud over SMB. Mandiant also observed UNC2659 access ESXi administration interfaces and disable snapshot features before ransomware deployment affected several virtual machine images, and deploy a file named power_encryptor.exe. UNC2659 is described in the context of DARKSIDE double-extortion operations, in which victim data is exfiltrated and systems are encrypted.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Tradecraft
10 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
1 malware family attributed to this actor across reporting.
Associated vulnerabilities
1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.
Observables
23 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
DarkSide-linked affiliate cluster that gains initial access via SonicWall SMA100 SSL VPN exploitation, may disable MFA, uses TeamViewer for persistence, and exfiltrates files before encryption.
A DARKSIDE affiliate cluster that gained initial access by exploiting SonicWall SMA100, established persistence with remote administration tools, exfiltrated large volumes of data, and deployed ransomware affecting virtualized environments.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.