Credential Theft
- Mimikatz
- SessionGopher
DarkSide is a ransomware-as-a-service (RaaS) operation first publicly reported in August 2020 and widely known for the May 2021 Colonial Pipeline incident.
Profile source: Mallory opens in a new tabDarkside
DarkSide is a ransomware-as-a-service (RaaS) operation first publicly reported in August 2020 and widely known for the May 2021 Colonial Pipeline incident. The FBI confirmed DarkSide ransomware was responsible for the compromise of Colonial Pipeline networks. The intrusion was attributed to a DarkSide affiliate, and reporting in the provided content states initial access occurred via a legacy VPN account without MFA whose credentials had previously leaked or through an exposed reused VPN password. The attack affected Colonial Pipeline’s IT environment, including billing and accounting systems, led to a preventive shutdown of pipeline operations, and caused major fuel supply disruption on the U.S. East Coast. Colonial Pipeline paid 75 bitcoin, worth about $4.4 million at the time, and the U.S. Department of Justice later seized approximately $2.3 million in cryptocurrency tied to the payment.
DarkSide operated a structured affiliate program in which developers provided ransomware tooling, management panels, and leak-site capabilities in exchange for a share of ransom proceeds. The content states affiliates were interviewed before joining, developers took 25% of payments under $500,000 and 10% over $5 million, and affiliates could manage victims and choose what stolen data to publish. DarkSide used double extortion, stealing data before encryption and threatening public release if victims refused to pay. The operation was described as responsible for at least 60 known double-extortion cases in the referenced period, and its leak site reportedly featured stolen data from more than 80 companies in the U.S. and Europe.
Observed intrusion tradecraft in the provided content includes initial access via phished credentials, purchased or brute-forced VPN credentials, phishing, and exploitation of SonicWall SMA100 vulnerability CVE-2021-20016 by at least one affiliate cluster. Affiliates and related clusters used suspicious authentication attempts, spray-and-pray and brute-force activity, TeamViewer persistence, the Smokedham .NET backdoor, NGROK to expose remote desktop services, commodity malware such as SystemBC, and Cobalt Strike. Lateral movement methods mentioned include PSExec, RDP, and SSH. Sophos reported dwell times ranging from 44 to 88 days with a median of 45 days, while FireEye described some affiliate activity moving from access to ransomware deployment in as little as two to three days.
DarkSide targeted both Windows and Linux systems. The Windows variant appended a unique file extension to encrypted files, attempted privilege escalation via the CMSTPLUA technique when administrative privileges were absent, terminated services associated with Commvault, Veeam, MailEnable, and SQL Server, attempted to tamper with Sophos services, and deleted Volume Shadow Copies. The Linux variant was delivered as an ELF binary and specifically targeted VMware ESX/ESXi environments by encrypting VMDK virtual disk files, including under /vmfs/volumes/. The content also notes DarkSide was one of only a few ransomware families at the time reported to encrypt VMware ESXi shared virtual hard drives.
DarkSide publicly claimed to be apolitical and profit-motivated, and said it avoided certain public-interest sectors and companies in Russia, Kazakhstan, and Ukraine. However, the content also notes that its affiliate model limited central control over victim selection and attack consequences. Multiple references in the content associate DarkSide with Russian-speaking cybercrime ecosystems and actors, including affiliate recruitment of Russian-speaking partners, discussion on XSS, and claims by U.S. officials that the actors were believed to be in Russia, though the content states there was no confirmed nation-state link. The operation is described in the content as now defunct or retired.
Ransomware.live
Reported operators
In 2023, FIN7 expanded its operations to include the deployment of ransomware through affiliations with RaaS groups such as REvil and Maze, while also managing its own RaaS programs, including the now-retired Darkside and BlackMatter.
ELBRUS developed their own RaaS ecosystem named DarkSide. They deployed DarkSide payloads as part of their operations and recruited and managed affiliates that deployed the DarkSide ransomware.
FireEye researchers documented five separate clusters of activity suspected of being connected to DarkSide, the Ransomware-as-a-Service (RaaS) network responsible for the Colonial Pipeline security incident.
FireEye researchers documented five separate clusters of activity suspected of being connected to DarkSide, the Ransomware-as-a-Service (RaaS) network responsible for the Colonial Pipeline security incident.
FireEye researchers documented five separate clusters of activity suspected of being connected to DarkSide, the Ransomware-as-a-Service (RaaS) network responsible for the Colonial Pipeline security incident.
The attack began when a hacker group identified as DarkSide accessed the Colonial Pipeline network. The attackers stole 100 gigabytes of data within a two-hour window. Following the data theft, the attackers infected the Colonial Pipeline IT network with ransomware that affected many computer systems, including billing and accounting.
Wazawaka also said he’d teamed up with DarkSide, the ransomware affiliate group responsible for the six-day outage at Colonial Pipeline last year that caused nationwide fuel shortages and price spikes.
Exploited software
MITRE ATT&CK
Reporting
Colonial Pipeline (2021): DarkSide ransomware проник через legacy VPN-аккаунт без MFA, реквизиты которого утекли ранее.
On 13 May 2021, days after the DarkSide attack on Colonial Pipeline, the XSS administrator banned all ransomware activity and deleted existing ransomware threads.
Notably, around 260 million records are linked to Telegram channels associated with the defunct ransomware group "Darkside."
We implemented PocketAgents on top of a cyber arena (Perry), a cyber-deception testbed, and evaluated two agents, Command and Control and Exfiltration, in 18 closed-loop trials of a DarkSide-inspired attack on a small enterprise topology.
GG recommended looking into Darkside/Blackmatter/BlackCat ESXi locker(s), praising its quality and admin panel.
In the closing pages of the book, he dismisses all ransomware, because the DarkSide gang only got a $4.4 million payment from Colonial Pipeline in 2021.
This activity is significant because deleting shadow copies is a common tactic used by ransomware, such as DarkSide, to prevent data recovery.
Associated Analytic Story ... DarkSide Ransomware
Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.