top of page
  • Writer's pictureFYEO

Ransomware Group Deep Dive: DarkSide


Every so often, the effects of a major cyber attack spill out into the real world, causing serious political and societal repercussions. Just two examples are the Stuxnet worm, thought to be developed by the United States and Israel against Iranian nuclear infrastructure, and the 2014 Sony Pictures hack, which U.S. officials believe was ordered by the North Korean government.

Perhaps the most recent instance of this occurring is the 2021 ransomware attack on the Colonial Pipeline oil pipeline system, which left many gas stations in the Southeastern U.S. without fuel for days. This attack was launched by the DarkSide ransomware group, a relatively new ransomware gang responsible for a number of high-profile incidents.

So what should companies know about the DarkSide ransomware group and the threats it poses to their business? This article will discuss all of that and more with a deep dive into the DarkSide ransomware group.

What Is the DarkSide Ransomware Group?

The DarkSide ransomware group was first observed in August 2020. This ransomware gang is believed to contain members of Russian origin, including former affiliates of the REvil ransomware group. DarkSide gained international prominence in May 2021, when it launched a ransomware attack on Colonial Pipeline.

According to Bloomberg, DarkSide was able to enter the Colonial Pipeline network using a compromised user password that had been leaked to the Dark Web. The Colonial Pipeline ransomware infection forced the company to temporarily shut down its 5,500-mile pipeline, which carries nearly half the fuel on the U.S. East Coast. As a result, the U.S. federal government issued an emergency declaration for 17 states and Washington, D.C.

The DarkSide ransomware gang is one of the purveyors of a business model known as “ransomware as a service” (RaaS). In RaaS, ransomware creators license their software to other cybercriminals for a fee, opening the gates for a wave of fresh attacks. Security researchers believe that the DarkSide group initially launched its own campaigns but later sold its ransomware kits and software tools to other gangs and individuals.

Unlike other ransomware groups, DarkSide claims to have at least a limited set of moral principles. The DarkSide group asserts that it does not target organizations such as hospitals, educational institutions, and nonprofits. However, it is unclear how these principles align with the RaaS business model, which allows attackers to use the DarkSide ransomware against any target for the right price.

Besides Colonial Pipeline, DarkSide has attacked companies in more than a dozen countries in a wide range of sectors, including finance, retail, manufacturing, and technology. DarkSide’s other victims have included Toshiba Tec Corp and chemical distribution company Brenntag.

The U.S. Department of State has offered a reward of up to $10 million for information on the leaders of the DarkSide group. In the wake of the Colonial Pipeline attack, DarkSide announced that it was shutting down after its servers were seized and its cryptocurrency payment accounts were drained by an unknown party. However, many DarkSide affiliates have likely reorganized under a different ransomware group.

How Does DarkSide Ransomware Work?

DarkSide ransomware can infiltrate a network through a variety of methods, although it appears to avoid targeting machines with languages spoken in countries of the former Soviet bloc. Common attack vectors include phishing emails, stolen login credentials, and vulnerabilities in software such as Citrix and Remote Desktop Protocol (RDP).

Once inside, DarkSide ransomware uses various system administration and penetration testing tools for reconnaissance and lateral movement, silently moving throughout the network. The techniques used by DarkSide include:

  • Privilege escalation, exploiting bugs or configuration errors to gain access to unauthorized resources.

  • Disabling security tools, killing software and event loggers that could detect the ransomware’s activities or preventing them from starting at runtime.

  • Identifying critical servers and data repositories, exfiltrating confidential information while detecting and removing backups that could thwart the attack.

DarkSide ransomware uses the encryption algorithms Salsa20 and RSA-1024 to keep victims’ files under lock. The malware is capable of encrypting both Windows and Linux machines. The DarkSide group has reportedly charged different ransom amounts to different victims, depending on their organization’s size and level of revenue.

How To Protect Yourself from DarkSide Ransomware

When the DarkSide group disbanded, leaders announced that they would make decryption tools available for companies that had been infected but not yet paid the ransom. If you find yourself infected by a stray variant of DarkSide ransomware, you can download DarkSide decryption software from websites such as Bitdefender.

Besides this, businesses should follow the usual best practices to avoid and defend against ransomware infections, such as:

  • Installing antivirus and antimalware software.

  • Creating regular backups of valuable files and data in an offsite location.

  • Training users on how to recognize phishing emails.

  • Keeping software applications up-to-date to patch security flaws.


Here’s what you need to know about the DarkSide ransomware group:

  • DarkSide was first observed in August 2020 and is believed to contain members of Russian origin affiliated with the REvil ransomware group.

  • The DarkSide ransomware group is responsible for the 2021 Colonial Pipeline ransomware attack, one of the most high-profile cyber attacks on critical infrastructure.

  • Although DarkSide claims to have disbanded, at least some members have likely joined other ransomware groups.

The Colonial Pipeline incident, in which DarkSide hackers entered the network via a compromised password, indicates the dangers of companies having sensitive data leaked on the Dark Web. That’s why businesses need to engage in regular Dark Web threat monitoring.

FYEO's threat intelligence software holds more than 24 billion leaked credentials, one of the world’s largest databases. When your private data is detected on the Dark Web, we’ll send you an alert right away, so that you can take action to protect yourself. To learn more, get in touch with us today to request a demo of FYEO Domain Intelligence.


bottom of page