Skip to content
Ransomware group

Darkside

DarkSide is a ransomware-as-a-service (RaaS) operation first publicly reported in August 2020 and widely known for the May 2021 Colonial Pipeline incident.

Profile source: Mallory opens in a new tab

Darkside

Family profile

DarkSide is a ransomware-as-a-service (RaaS) operation first publicly reported in August 2020 and widely known for the May 2021 Colonial Pipeline incident. The FBI confirmed DarkSide ransomware was responsible for the compromise of Colonial Pipeline networks. The intrusion was attributed to a DarkSide affiliate, and reporting in the provided content states initial access occurred via a legacy VPN account without MFA whose credentials had previously leaked or through an exposed reused VPN password. The attack affected Colonial Pipeline’s IT environment, including billing and accounting systems, led to a preventive shutdown of pipeline operations, and caused major fuel supply disruption on the U.S. East Coast. Colonial Pipeline paid 75 bitcoin, worth about $4.4 million at the time, and the U.S. Department of Justice later seized approximately $2.3 million in cryptocurrency tied to the payment.

DarkSide operated a structured affiliate program in which developers provided ransomware tooling, management panels, and leak-site capabilities in exchange for a share of ransom proceeds. The content states affiliates were interviewed before joining, developers took 25% of payments under $500,000 and 10% over $5 million, and affiliates could manage victims and choose what stolen data to publish. DarkSide used double extortion, stealing data before encryption and threatening public release if victims refused to pay. The operation was described as responsible for at least 60 known double-extortion cases in the referenced period, and its leak site reportedly featured stolen data from more than 80 companies in the U.S. and Europe.

Observed intrusion tradecraft in the provided content includes initial access via phished credentials, purchased or brute-forced VPN credentials, phishing, and exploitation of SonicWall SMA100 vulnerability CVE-2021-20016 by at least one affiliate cluster. Affiliates and related clusters used suspicious authentication attempts, spray-and-pray and brute-force activity, TeamViewer persistence, the Smokedham .NET backdoor, NGROK to expose remote desktop services, commodity malware such as SystemBC, and Cobalt Strike. Lateral movement methods mentioned include PSExec, RDP, and SSH. Sophos reported dwell times ranging from 44 to 88 days with a median of 45 days, while FireEye described some affiliate activity moving from access to ransomware deployment in as little as two to three days.

DarkSide targeted both Windows and Linux systems. The Windows variant appended a unique file extension to encrypted files, attempted privilege escalation via the CMSTPLUA technique when administrative privileges were absent, terminated services associated with Commvault, Veeam, MailEnable, and SQL Server, attempted to tamper with Sophos services, and deleted Volume Shadow Copies. The Linux variant was delivered as an ELF binary and specifically targeted VMware ESX/ESXi environments by encrypting VMDK virtual disk files, including under /vmfs/volumes/. The content also notes DarkSide was one of only a few ransomware families at the time reported to encrypt VMware ESXi shared virtual hard drives.

DarkSide publicly claimed to be apolitical and profit-motivated, and said it avoided certain public-interest sectors and companies in Russia, Kazakhstan, and Ukraine. However, the content also notes that its affiliate model limited central control over victim selection and attack consequences. Multiple references in the content associate DarkSide with Russian-speaking cybercrime ecosystems and actors, including affiliate recruitment of Russian-speaking partners, discussion on XSS, and claims by U.S. officials that the actors were believed to be in Russia, though the content states there was no confirmed nation-state link. The operation is described in the content as now defunct or retired.

Ransomware.live

Operational record

View group record ↗

Credential Theft

  • Mimikatz
  • SessionGopher

Discovery Enum

  • ADRecon
  • AdFind
  • Advanced IP Scanner
  • SoftPerfect NetScan

Exfiltration

  • Bashupload
  • MEGA
  • RClone
  • Sendspace
  • pCloud

LOLBAS

  • PsExec

Networking

  • Plink

Offsec

  • Cobalt Strike
  • CrackMapExec
  • Impacket
  • PowerSploit

RMM Tools

  • AnyDesk
  • GoToAssist
  • TightVNC

Reported operators

Threat actors

7 named in public reporting
FIN7

In 2023, FIN7 expanded its operations to include the deployment of ransomware through affiliations with RaaS groups such as REvil and Maze, while also managing its own RaaS programs, including the now-retired Darkside and BlackMatter.

DEV-0289

ELBRUS developed their own RaaS ecosystem named DarkSide. They deployed DarkSide payloads as part of their operations and recruited and managed affiliates that deployed the DarkSide ransomware.

UNC2465

FireEye researchers documented five separate clusters of activity suspected of being connected to DarkSide, the Ransomware-as-a-Service (RaaS) network responsible for the Colonial Pipeline security incident.

UNC2628

FireEye researchers documented five separate clusters of activity suspected of being connected to DarkSide, the Ransomware-as-a-Service (RaaS) network responsible for the Colonial Pipeline security incident.

UNC2659

FireEye researchers documented five separate clusters of activity suspected of being connected to DarkSide, the Ransomware-as-a-Service (RaaS) network responsible for the Colonial Pipeline security incident.

DarkSide

The attack began when a hacker group identified as DarkSide accessed the Colonial Pipeline network. The attackers stole 100 gigabytes of data within a two-hour window. Following the data theft, the attackers infected the Colonial Pipeline IT network with ransomware that affected many computer systems, including billing and accounting.

Wazawaka

Wazawaka also said he’d teamed up with DarkSide, the ransomware affiliate group responsible for the six-day outage at Colonial Pipeline last year that caused nationwide fuel shortages and price spikes.

Exploited software

Vulnerabilities linked to Darkside

1 CVEs

MITRE ATT&CK

Darkside in ATT&CK

51 distinct techniques

Techniques

51 techniques
T1105 Ingress Tool Transfer T1082 System Information Discovery T1562 Impair Defenses T1567.002 Exfiltration to Cloud Storage T1059 Command and Scripting Interpreter T1489 Service Stop T1486 Data Encrypted for Impact T1021.002 SMB/Windows Admin Shares T1033 System Owner/User Discovery T1074 Data Staged T1021.001 Remote Desktop Protocol T1570 Lateral Tool Transfer T1112 Modify Registry T1598 Phishing for Information T1078 Valid Accounts T1070.004 File Deletion T1021.004 SSH T1068 Exploitation for Privilege Escalation T1048 Exfiltration Over Alternative Protocol T1583.006 Web Services T1537 Transfer Data to Cloud Account T1071 Application Layer Protocol T1566 Phishing T1657 Financial Theft T1614 System Location Discovery T1041 Exfiltration Over C2 Channel T1548.002 Bypass User Account Control T1562.001 Disable or Modify Tools T1490 Inhibit System Recovery T1574 Hijack Execution Flow T1543.003 Windows Service T1614.001 System Language Discovery T1053.003 Cron T1059.001 PowerShell T1498 Network Denial of Service T1598.004 Spearphishing Voice T1548 Abuse Elevation Control Mechanism T1027 Obfuscated Files or Information T1047 Windows Management Instrumentation T1074.001 Local Data Staging T1548.003 Sudo and Sudo Caching T1140 Deobfuscate/Decode Files or Information T1546.001 Change Default File Association T1190 Exploit Public-Facing Application T1003.001 OS Credential Dumping: LSASS Memory T1003.003 OS Credential Dumping: NTDS T1046 Network Service Discovery T1482 Domain Trust Discovery T1560.001 Archive Collected Data: Archive via Utility T1071.001 Application Layer Protocol: Web Protocols T1219 Remote Access Software

Reporting

Research mentioning Darkside

Jul 7
Codeby

Оценка киберрисков критической инфраструктуры OT/ICS

Colonial Pipeline (2021): DarkSide ransomware проник через legacy VPN-аккаунт без MFA, реквизиты которого утекли ранее.

Jun 30
Security Affairs

XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn't

On 13 May 2021, days after the DarkSide attack on Colonial Pipeline, the XSS administrator banned all ransomware activity and deleted existing ransomware threads.

Jun 17
Scworld

Massive database with 24 billion credentials found exposed online | brief | SC Media

Notably, around 260 million records are linked to Telegram channels associated with the defunct ransomware group "Darkside."

May 20
Arxiv

[2605.21694] PocketAgents: A Manifest-Driven Library of Autonomous Defense Agents

We implemented PocketAgents on top of a cyber arena (Perry), a cyber-deception testbed, and evaluated two agents, Command and Control and Exfiltration, in 18 closed-loop trials of a DarkSide-inspired attack on a small enterprise topology.

May 19
Trellix

Analysis of Black Basta Ransomware Chat Leaks

GG recommended looking into Darkside/Blackmatter/BlackCat ESXi locker(s), praising its quality and admin panel.

May 6
Lawfare Media

A First Step to Unpacking Cyber, Deception, and Intelligence Contests | Lawfare

In the closing pages of the book, he dismisses all ransomware, because the DarkSide gang only got a $4.4 million payment from Colonial Pipeline in 2021.

Feb 25
Splunk Research

Detection: Delete ShadowCopy With PowerShell | Splunk Security Content

This activity is significant because deleting shadow copies is a common tactic used by ransomware, such as DarkSide, to prevent data recovery.

Feb 25
Splunk Research

Detection: BITSAdmin Download File | Splunk Security Content

Associated Analytic Story ... DarkSide Ransomware

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.