DarkSide

DarkSide is a ransomware-as-a-service (RaaS) cybercriminal group widely known for the May 2021 ransomware attack on Colonial Pipeline, which disrupted fuel deliveries on the U.S. East Coast and caused significant operational and economic impact. The content describes DarkSide as a Russia-based or Russia-linked criminal group, with U.S. officials stating the actors were based in Russia, but also noting there was no confirmed direct Russian state involvement. DarkSide publicly claimed to be financially motivated and apolitical. The group operated a RaaS model in which developers supplied ransomware tooling to affiliates in exchange for a share of ransom proceeds. Reported details include affiliate vetting, provision of management panels to build ransomware, manage victims, and control leak-site publication, and revenue sharing that varied by ransom size. DarkSide used double extortion, stealing data before encryption and threatening public release if victims did not pay. The content links DarkSide to numerous intrusions in the U.S. and Europe and states its leak site featured data from more than 80 companies. Reported targeting behavior indicates the group avoided Russian, Kazakh, and Ukrainian organizations. DarkSide is also described as having hacked scores of companies in the U.S. and Europe. Observed tactics and intrusion methods associated with the DarkSide ecosystem and affiliates include use of stolen or weak VPN credentials, brute-force and password-spraying against remote access services, exploitation of SonicWall SMA100 vulnerability CVE-2021-20016, phishing, use of TeamViewer for persistence, use of the Smokedham .NET backdoor, use of NGROK to expose remote desktop services, credential-based access purchased from other criminals, rapid data theft prior to encryption, and dwell times ranging from a few days to weeks depending on the affiliate cluster. The Colonial Pipeline intrusion is described as beginning through a stolen password for an outdated VPN account that lacked two-factor authentication; attackers reportedly stole about 100 GB of data and then deployed ransomware against the IT environment. Colonial Pipeline paid a ransom reported at roughly $4.3 million to $5 million, and the U.S. Department of Justice later seized approximately $2.3 million in Bitcoin tied to the payment. The content also notes law-enforcement pressure after the Colonial Pipeline incident, including FBI attribution, U.S. reward offers for information on DarkSide members and affiliates, and cryptocurrency seizure actions. DarkSide is described as later shutting down under law-enforcement pressure. The content further states that BlackMatter and then ALPHV/BlackCat were believed rebrands or successor operations linked to DarkSide. Known associated names in the content include BlackMatter and ALPHV/BlackCat as linked rebrands, and affiliate associations include Mikhail Matveev (Wazawaka), who was described as having worked with DarkSide.