DarkSide is a ransomware threat that has been in operation since at least August 2020 and was used in a cyberattack against Georgia-based Colonial Pipeline, leading to a major fuel supply disruption along the East Coast of the US. The malware is offered as a service to different cybercriminals through an affiliate program and, like other prolific ransomware threats, employs double extortion that combines file encryption with data theft and is deployed on compromised networks using manual hacking techniques.
In a recent report, researchers from threat intelligence firm Flashpoint said they believe “that the threat actors behind DarkSide ransomware are of Russian origin and are likely former affiliates of the REvil RaaS [ransomware-as-a-service] group.”
A PR savvy group that claims moral principles
Researchers believe that the DarkSide creators initially ran all their targeted attack campaigns themselves, but after a few months they started making their ransomware available to other groups and marketed it on Russian-language underground forums. In their launch announcement they claimed to have already made millions of dollars in profits by partnering with other well-known cryptolockers (ransomware programs) in the past.
The group encourages news reporters to register on its website to receive advance information about breaches and non-public information and promises fast 24-hour replies to any media questions. They also invited data decryption companies to partner with them to help victims that don’t have large IT departments decrypt their data after they pay.
