DarkSide

DarkSide is a ransomware-as-a-service (RaaS) cybercriminal operation best known for the May 2021 Colonial Pipeline attack, which the FBI attributed to the group and specifically to a DarkSide affiliate. The group is described in the content as Russia-based or operating from Eastern Europe/Russia, though the content does not confirm a nation-state link; U.S. officials stated the actors were in Russia but not part of the Russian government. DarkSide used an affiliate model in which operators supplied ransomware, tooling, management panels, and leak-site capabilities in exchange for a share of ransom proceeds. The group conducted double extortion, stealing data before encrypting systems and threatening public release if victims did not pay. The content states DarkSide was responsible for at least 60 known double-extortion cases in the referenced period. DarkSide is associated with the Colonial Pipeline disruption, which caused shutdown of pipeline operations and fuel shortages on the U.S. East Coast. Colonial Pipeline paid roughly $4.3 million to $4.4 million in Bitcoin, and the U.S. Department of Justice later seized approximately $2.3 million of those proceeds. DarkSide publicly claimed to be apolitical and profit-motivated, and after the Colonial incident stated it would review targets to avoid social consequences. The content also states DarkSide claimed to avoid certain targets, including public-interest sectors such as healthcare and vaccine-related entities, but its affiliate model limited operator control over victim selection. Observed tradecraft in the content includes initial access via phished or stolen VPN credentials, brute force and password spraying against exposed remote services, and exploitation of SonicWall SMA100 vulnerability CVE-2021-20016 by an affiliate cluster. Affiliates and related intrusion clusters used suspicious authentication attempts, phishing, TeamViewer persistence, Smokedham .NET backdoor delivery, NGROK to expose remote desktop services, and tools such as Cobalt Strike and SystemBC. Lateral movement methods included PSExec, RDP, and SSH. Data was exfiltrated to Mega or pCloud. On Windows, DarkSide attempted privilege escalation via CMSTPLUA, terminated backup and database services including Commvault, Veeam, MailEnable, and SQL Server, tampered with Sophos services, and deleted Volume Shadow Copies. The Linux variant was delivered as an ELF binary and targeted VMware ESX VMDK files under /vmfs/volumes/. The content links DarkSide to later rebrands and spinoffs. It states BlackMatter and then BlackCat/ALPHV are believed to be successor or rebranded operations following law-enforcement pressure after Colonial Pipeline. The content also references affiliates and associated actors including Wazawaka/Mikhail Matveev as having worked with DarkSide, and notes FireEye tracking of DarkSide affiliate clusters including UNC2628, UNC2659, and UNC2465.