Darkside
DarkSide is a ransomware family and ransomware-as-a-service (RaaS) operation first publicly observed in August 2020 on Russian-language forums. It is associated in the provided content with the threat actor ELBRUS/FIN7, which developed the DarkSide RaaS ecosystem and recruited and managed affiliates that deployed DarkSide payloads. DarkSide is best known for the May 2021 compromise of Colonial Pipeline, which the FBI confirmed was caused by DarkSide ransomware. In that incident, the attackers stole approximately 100 GB of data within a two-hour window and then deployed ransomware against Colonial Pipeline’s IT network, affecting systems including billing and accounting; the operational disruption contributed to fuel shortages on the U.S. East Coast. Colonial Pipeline paid a ransom of about 75 bitcoin (roughly $4.4 million at the time), and the U.S. Department of Justice later seized approximately $2.3 million in bitcoin tied to the payment.
The content describes DarkSide as a structured double-extortion platform in which affiliates receive custom ransomware tooling, management panels, and leak-site controls in exchange for a share of ransom proceeds. Reported revenue splits indicated developers took 25% of payments under $500,000 and 10% of payments over $5 million. Affiliates were vetted through an interview process and could use a control panel to generate builds, manage victims, contact support, and choose what stolen data to publish on the leak site. DarkSide publicly claimed to be financially motivated and apolitical, and multiple sources in the content state that it appeared to avoid targeting Russian, Kazakh, and Ukrainian organizations. The group also claimed to prohibit targeting healthcare, funeral services, education, public sector, and non-profits, though the content only supports this as a stated policy.
Capabilities and behaviors directly described in the content include file encryption, pre-encryption data theft, public leak-site extortion, phone-based pressure during negotiations, and DDoS pressure tactics added during ransom negotiations. DarkSide also advertised providing information about upcoming victims before public disclosure for stock-shorting schemes. The malware/ecosystem was used in multifaceted intrusions involving credential-based and brute-force VPN access, exploitation of SonicWall SMA100 vulnerability CVE-2021-20016, phishing-delivered access via the Smokedham .NET backdoor, TeamViewer persistence, and NGROK exposure of remote desktop services. FireEye documented multiple affiliate clusters linked to the DarkSide ecosystem, including UNC2628, UNC2659, and UNC2465. Sophos reported an average dwell time of 45 days between initial access and ransomware deployment in DarkSide cases, while FireEye observed some affiliates moving from access to deployment in as little as two to three days.
The content also notes that DarkSide was one of only three ransomware strains at the time reported to encrypt files on VMware ESXi shared virtual hard drives. DarkSide targeted organizations across more than 15 countries and multiple industry verticals, and its leak site reportedly featured stolen data from more than 80 companies in the U.S. and Europe. Associated actors mentioned in the content include affiliates such as Wazawaka/Mikhail Matveev, who claimed to have worked with DarkSide, and broader links assessed by some reporting between DarkSide and REvil/Sodinokibi. After the Colonial Pipeline incident, DarkSide stated it would introduce moderation and review of targets to avoid social consequences in the future.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Since initially surfacing in August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. | The threat actor obtained initial access to their victim by exploiting CVE-2021-20016, an exploit in the SonicWall SMA100 SSL VPN product, which has been patched by SonicWall. There is some evidence to suggest the threat actor may have used the vulnerability to disable multi-factor authentication options on the SonicWall VPN, although this has not been confirmed.
Groups observed using it
7 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
ELBRUS developed their own RaaS ecosystem named DarkSide. They deployed DarkSide payloads as part of their operations and recruited and managed affiliates that deployed the DarkSide ransomware.
ELBRUS developed their own RaaS ecosystem named DarkSide. They deployed DarkSide payloads as part of their operations and recruited and managed affiliates that deployed the DarkSide ransomware.
FireEye researchers documented five separate clusters of activity suspected of being connected to DarkSide, the Ransomware-as-a-Service (RaaS) network responsible for the Colonial Pipeline security incident.
FireEye researchers documented five separate clusters of activity suspected of being connected to DarkSide, the Ransomware-as-a-Service (RaaS) network responsible for the Colonial Pipeline security incident.
FireEye researchers documented five separate clusters of activity suspected of being connected to DarkSide, the Ransomware-as-a-Service (RaaS) network responsible for the Colonial Pipeline security incident.
The attack began when a hacker group identified as DarkSide accessed the Colonial Pipeline network. The attackers stole 100 gigabytes of data within a two-hour window. Following the data theft, the attackers infected the Colonial Pipeline IT network with ransomware that affected many computer systems, including billing and accounting.
Wazawaka also said he’d teamed up with DarkSide, the ransomware affiliate group responsible for the six-day outage at Colonial Pipeline last year that caused nationwide fuel shortages and price spikes.
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 techniqueIn late March, DarkSide introduced a “call service” innovation that was integrated into the affiliate’s management panel, which enabled the affiliates to arrange calls pressuring victims into paying ransoms directly from the management panel.
Resource Development
1 techniqueA person familiar with the matter said on Monday that the server also carried data from other DarkSide ransomware operations in progress...
Initial Access
1 techniqueUNC2465 now uses phishing emails to deliver DarkSide via the Smokedham .NET backdoor
Execution
3 techniquesMandiant has observed the threat actor using PsExec and cron jobs to deploy the DARKSIDE ransomware
UNC2465 activity dates back to at least April 2019 and is characterized by their use of similar TTPs to distribute the PowerShell-based .NET backdoor SMOKEDHAM
Persistence
3 techniquesMandiant has observed the threat actor using PsExec and cron jobs to deploy the DARKSIDE ransomware
The DARKSIDE version observed in May sets the following registry key: HKCR\<ransom_ext>\DefaultIcon\<ransom_ext>\DefaultIcon=%PROGRAMDATA%\<ransom_ext>.ico
Privilege Escalation
4 techniquesMandiant has observed the threat actor using PsExec and cron jobs to deploy the DARKSIDE ransomware
via the creation of Windows services intended to launch BEACON. Notably, UNC2628 has repeatedly loaded BEACON with a service named ‘CitrixInit’
BlackMatter also attempts to elevate its privileges when it is limited by User Account Control (UAC). It does so via an elevated COM interface
If the malware does not have elevated privileges, it attempts to perform one of two User Account Control (UAC) bypasses
Stealth
3 techniquesLike DarkSide (and REvil), BlackMatter uses a run-time API that can hinder static analysis of the malware. And like the other two ransomware groups, strings are also encrypted and revealed during runtime... stores configuration information in the binary in an encoded format.
Defense Impairment
1 techniqueDiscovery
2 techniquesIn the past few years, ransomware hackers have found an almost perfect solution — cryptocurrencies like Bitcoin. It's fast. It's easy. Best of all, it's largely anonymous and hard to trace.
If this functionality were enabled and the check succeeded, the string "This is a Russian-Speaking System, Exit" would be written to the log file and the malware would exit
Lateral Movement
2 techniquesThe threat actor deployed the file power_encryptor.exe in a victim environment, encrypting files and creating ransom notes over the SMB protocol | Mandiant has observed the threat actor using PsExec and cron jobs to deploy the DARKSIDE ransomware
UNC2628 deploys DARKSIDE ransomware encryptors using PsExec to a list of hosts contained in multiple text files
Collection
1 technique...the company managed to retrieve the most important data that was stolen... by leveraging the attackers’ use of intermediary servers within the United States to store the stolen information.
Command and Control
1 techniqueinvestigators managed to thwart at least some of the hackers' data theft by taking a cloud server offline.
Exfiltration
3 techniquesWazawaka seems to have adopted the uniquely communitarian view that when organizations being held for ransom decline to cooperate or pay up, any data stolen from the victim should be published on the Russian cybercrime forums for all to plunder.
...the company did pay as it sought to retrieve the stolen information.
Reuters on Sunday reported that investigators managed to thwart at least some of the hackers' data theft by taking a cloud server offline.
Impact
5 techniquesAccording to the investigation, he developed malware in January of this year to obtain illegal profits. The accused intended to use it to encrypt commercial organizations' data and demand a ransom for decryption, Russian prosecutors said.
The company halted operations because its billing system was compromised... In response to the cybersecurity attack on our system, we proactively took certain systems offline to contain the threat, which temporarily halted all pipeline operations...
In mid-April the ransomware program announced new capability for affiliates to launch distributed denial-of-service (DDoS) attacks against targets whenever added pressure is needed during ransom negotiations.
This is known as a double-extortion tactic in which companies that refuse to pay for a decryption key are then threatened with the public leak of their files.
Other
1 techniqueIOCs tracked for this family
62 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
68 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
DarkSide is referenced as the ransomware family inspiring the simulated attack scenario used to evaluate the defense agents.
Ransomware family referenced in an associated analytic story.
Ransomware referenced as using shadow copy deletion to inhibit system recovery and prevent data recovery.
Named ransomware family referenced as associated analytic story for suspicious C2 named pipe activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.