Darkside
DarkSide is a ransomware-as-a-service (RaaS) operation and ransomware family first publicly reported in 2020 and later described as defunct/retired in the provided reporting. It is best known for the May 2021 Colonial Pipeline incident, which the FBI confirmed was caused by DarkSide ransomware and attributed to a DarkSide affiliate. That intrusion disrupted Colonial Pipeline’s IT environment, led the company to shut down pipeline operations, caused fuel shortages and panic buying across parts of the U.S. East Coast, and resulted in a ransom payment of about 75 bitcoin (roughly $4.4 million at the time). The U.S. Department of Justice later seized approximately $2.3 million in cryptocurrency tied to that payment.
The content consistently describes DarkSide as a double-extortion RaaS program in which core operators supplied ransomware tooling, management infrastructure, and leak-site capabilities to affiliates in exchange for a share of ransom proceeds. Reported affiliate terms included revenue sharing tiers, an interview process for prospective affiliates, and administrative panels for building payloads, managing victims, and controlling publication of stolen data. DarkSide was associated with at least 60 known double-extortion cases in the referenced period and its leak site reportedly listed data from more than 80 victim organizations in the U.S. and Europe.
Observed intrusion patterns in the content include initial access via phished or stolen credentials, purchased VPN access, brute-force and password-spraying activity, phishing-delivered malware, and exploitation of SonicWall SMA100 vulnerability CVE-2021-20016 by at least one affiliate cluster. FireEye linked multiple affiliate clusters to the ecosystem, including UNC2628, UNC2659, and UNC2465. Reported tradecraft included use of legitimate corporate VPN credentials, TeamViewer for persistence, Smokedham .NET backdoor delivery, NGROK to expose remote desktop services, and use of commodity tooling such as Cobalt Strike and SystemBC.
DarkSide targeted both Windows and Linux systems. The Windows variant appended a unique extension to encrypted files, attempted privilege escalation via the CMSTPLUA technique when not already elevated, terminated services associated with backup and database products including Commvault, Veeam, MailEnable, and SQL Server, attempted to tamper with Sophos services, and deleted Volume Shadow Copies. The Linux variant was delivered as an ELF binary and specifically targeted VMware ESX/ESXi environments by encrypting VMDK virtual disk files, including under /vmfs/volumes/. The content also states DarkSide was one of a small number of ransomware strains at the time capable of encrypting VMware ESXi shared virtual hard drives.
In investigated incidents, dwell times ranged from roughly 44 to 88 days, with a reported median around 45 days in Sophos cases, although some affiliate activity moved from access to deployment much faster. During dwell time, actors conducted reconnaissance, lateral movement via PSExec, RDP, and SSH, and exfiltrated data from multiple departments. Stolen archives were uploaded to Mega or pCloud in reported cases.
DarkSide publicly claimed to be apolitical and profit-motivated, and said it would avoid certain sectors or public-interest targets, including healthcare and vaccine-related entities. However, the content notes that its affiliate model limited operator control over target selection and attack consequences. Multiple reports state DarkSide appeared to avoid targeting Russian, Kazakh, and Ukrainian organizations, and U.S. officials said there was evidence the actors were in Russia, though the provided content does not establish a confirmed nation-state link.
The malware and operation are associated in the content with affiliates and broader criminal ecosystems rather than a single state actor. Reporting also links DarkSide to the ELBRUS criminal group as the operator of the DarkSide RaaS ecosystem, and separate reporting states FIN7 managed DarkSide and BlackMatter as part of its own RaaS activity. The content further references cooperation or claimed association by criminal actors such as Wazawaka/Mikhail Matveev with DarkSide affiliates.
High-confidence indicators and notable artifacts directly mentioned in the content include use of CVE-2021-20016 against SonicWall SMA100 devices, CMSTPLUA privilege escalation, PSExec/RDP/SSH for lateral movement, TeamViewer persistence, Smokedham backdoor delivery, NGROK exposure of remote desktop services, Mega and pCloud for exfiltration, deletion of Volume Shadow Copies, termination of Commvault/Veeam/MailEnable/SQL Server services, and Linux targeting of VMDK files under /vmfs/volumes/ on VMware ESX/ESXi systems.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Since initially surfacing in August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. | The threat actor obtained initial access to their victim by exploiting CVE-2021-20016, an exploit in the SonicWall SMA100 SSL VPN product, which has been patched by SonicWall. There is some evidence to suggest the threat actor may have used the vulnerability to disable multi-factor authentication options on the SonicWall VPN, although this has not been confirmed.
Groups observed using it
7 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In 2023, FIN7 expanded its operations to include the deployment of ransomware through affiliations with RaaS groups such as REvil and Maze, while also managing its own RaaS programs, including the now-retired Darkside and BlackMatter.
ELBRUS developed their own RaaS ecosystem named DarkSide. They deployed DarkSide payloads as part of their operations and recruited and managed affiliates that deployed the DarkSide ransomware.
FireEye researchers documented five separate clusters of activity suspected of being connected to DarkSide, the Ransomware-as-a-Service (RaaS) network responsible for the Colonial Pipeline security incident.
FireEye researchers documented five separate clusters of activity suspected of being connected to DarkSide, the Ransomware-as-a-Service (RaaS) network responsible for the Colonial Pipeline security incident.
FireEye researchers documented five separate clusters of activity suspected of being connected to DarkSide, the Ransomware-as-a-Service (RaaS) network responsible for the Colonial Pipeline security incident.
The attack began when a hacker group identified as DarkSide accessed the Colonial Pipeline network. The attackers stole 100 gigabytes of data within a two-hour window. Following the data theft, the attackers infected the Colonial Pipeline IT network with ransomware that affected many computer systems, including billing and accounting.
Techniques & procedures
31 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 technique
Reconnaissance
Resource Development
1 technique
Resource Development
Initial Access
2 techniques
Initial Access
Execution
2 techniques
Execution
Persistence
3 techniques
Persistence
In Sophos’ experience in data forensics and incident response to DarkSide attacks, the initial access to the target’s network came primarily as a result of phished credentials.
Privilege Escalation
4 techniques
Privilege Escalation
If it does not, the malware attempts to elevate its privileges using the CMSTPLUA technique.
In Sophos’ experience in data forensics and incident response to DarkSide attacks, the initial access to the target’s network came primarily as a result of phished credentials.
Stealth
3 techniques
Stealth
Like other ransomware, DarkSide also deletes Volume Shadow Copies, which could help recover some of the encrypted data if left unmolested.
Defense Impairment
1 technique
Defense Impairment
Discovery
3 techniques
Discovery
Lateral Movement
4 techniques
Lateral Movement
Using PSExec, Remote Desktop connections, and (in the case of Linux servers) SSH to move laterally within the network...
Using PSExec, Remote Desktop connections, and (in the case of Linux servers) SSH to move laterally within the network...
Collection
1 technique
Collection
Command and Control
2 techniques
Command and Control
Exfiltration
4 techniques
Exfiltration
Wazawaka seems to have adopted the uniquely communitarian view that when organizations being held for ransom decline to cooperate or pay up, any data stolen from the victim should be published on the Russian cybercrime forums for all to plunder.
...the company did pay as it sought to retrieve the stolen information.
Impact
4 techniques
Impact
DarkSide follows in the footsteps of double-extortion ransomware operators such as REvil, Maze, and LockBit—exfiltrating business data before encrypting it, and threatening public release if the victims don’t pay for a decryption key.
IOCs tracked for this family
62 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
74 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A named ransomware operation/group referenced in connection with Telegram channels linked to exposed credential records.
DarkSide is referenced as the ransomware family inspiring the simulated attack scenario used to evaluate the defense agents.
Referenced as a model for high-quality ESXi locker development for Black Basta's planned new ransomware.
Ransomware used by the DarkSide gang in the Colonial Pipeline incident to extort payment from victims.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.