{
	"id": "c0d5da18-be6b-4b83-a337-8510b0dc1eec",
	"created_at": "2026-04-06T00:22:15.809223Z",
	"updated_at": "2026-04-10T13:11:54.950039Z",
	"deleted_at": null,
	"sha1_hash": "1228f709606f262d667713388046c129ac3a6f9b",
	"title": "Who is DarkSide – The Group Behind the Colonial Pipeline Breach?",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 77460,
	"plain_text": "Who is DarkSide – The Group Behind the Colonial Pipeline\r\nBreach?\r\nPublished: 2021-05-19 · Archived: 2026-04-05 19:52:41 UTC\r\nKey Findings\r\nThe “DarkSide” ransomware group has made the news in 2021 due to its high-value targets such as the\r\nColonial Pipeline and its high ransom amounts. It is considered to be one of the most prolific ransomware\r\ngroups in the field. In August 2020, the DarkSide team launched its own public blog, “DarkSide Leaks”, to\r\nintimidate victims, boast about its attacks, and post stolen information from victims who did not pay the\r\nransom.\r\nThe group established criteria for whom it partners with (experienced Russian-speaking hackers) and who\r\nit allows partners to target (former Soviet states and certain industries are off-limits).\r\nDarkSide has recently reached widespread notoriety as the suspected culprit behind the Colonial Pipeline\r\nransomware attack. While DarkSide’s blog is down as of this writing, it released a statement in which it\r\nclaimed to be apolitical, uninterested in “creating problems for society”, and unaffiliated with any\r\ngovernments.\r\nThe DarkSide ransomware group is notable for its professionalism, including its attention to its product,\r\ncustomer service, and “code of ethics”. This professionalism makes DarkSide a particularly dangerous and\r\ncapable ransomware group, although the full fallout from a highly public attack on critical American\r\ninfrastructure remains to be seen.\r\nAnalysis\r\nGemini Advisory has previously written a public report that describes the operations and tactics of ransomware\r\nteams. The “DarkSide” ransomware group recently reached widespread notoriety as the suspected culprit behind\r\nthe Colonial Pipeline ransomware attack. This attack disrupted the largest pipeline for refined oil products in the\r\nUnited States and has led to ongoing gas shortages, with the pipeline’s systems beginning to restart on Wednesday,\r\nMay 12. DarkSide is also known for high ransom demands and is considered to be one of the most prolific\r\nransomware groups in the field. According to multiple sources, the group first appeared in August 2020 and\r\nremains active as of this writing. The group also provides Ransomware-as-a-Service (RaaS), which is an essential\r\nmalware rental service in which other cybercriminals can rent out DarkSide’s malware to conduct ransomware\r\nattacks.\r\nPublic Blog\r\nIn August 2020, the DarkSide team launched its own public blog, “DarkSide Leaks” on the Tor network. Like\r\nother teams, DarkSide uses its blog to intimidate victims, boast about its attacks, and post victims’ stolen\r\nhttps://geminiadvisory.io/who-is-darkside/\r\nPage 1 of 5\n\ninformation if they did not pay the ransom.\r\nDarkSide Leaks home page\r\nImage 1: DarkSide Leaks home page.\r\nDark Web Activity\r\nIn November 2020, the actor “darksupp” created threads on two top-tier dark web forums in which they\r\nannounced the launch of DarkSide’s partner program. This program is effectively RaaS; partners rent DarkSide’s\r\nransomware to attack victims and DarkSide offers its partners 75% to 90% of the ransom money. In March 2021,\r\nthe same actor created a new thread announcing the launch of DarkSide Ransomware v.2.0.\r\ndarksupp appears to be the public face of the organization and frequently publishes up-to-date information about\r\nthe team and ransomware updates. As of this writing, darksupp’s threads advertising DarkSide’s RaaS still remain\r\non two dark web forums. In addition, darksupp made a deposit of 23 Bitcoin (~$1.3 million USD as of this\r\nwriting) on one of these forums to signal that the group is serious and trustworthy. The security deposit is intended\r\nto remedy issues arising with its partners by allowing the forum administrators to act as mediators and an escrow\r\nservice.\r\nOne of darksupp’s updates referenced a new DarkSide policy. If a victim company does not contact DarkSide to\r\npay its ransom, the criminal group offers to launch distributed denial-of-service (DDoS) attacks against the\r\ncompany to put even more pressure on it to contact DarkSide. While other ransomware groups may use similar\r\ntactics, they often do not advertise their use of DDoS, so this disclosure sets DarkSide apart.\r\nRules of Engagement\r\nIn the March 2021 forum post, darksupp outlined the group’s criteria for whom it partners with and who it allows\r\npartners to target. darksupp specified that DarkSide exclusively seeks experienced, Russian-speaking partners and\r\ndoes not wish to work with English-speaking individuals or individuals linked to security services or cybersecurity\r\ncompanies. Additionally, the group stated its service is aimed at targeting only large corporations and listed the\r\ncriteria for the types of entities that partners should not target. The criteria include:\r\nHospitals, nursing homes, hospices, and medical organizations producing and distributing COVID-19\r\nvaccines\r\nOrganizations and businesses providing funeral services\r\nGovernment and public sector bodies\r\nNon-governmental organizations\r\nDarkSide also stated that partners should not target any entity in the former Soviet Union (FSU), which is\r\ncommon for threat actors located in the FSU. The group stipulated that partners should not conduct any activity\r\nthat could harm the reputation of DarkSide. While DarkSide’s blog is down as of this writing, it released a\r\nstatement after news of the Colonial Pipeline hack broke in which it claimed to be apolitical, uninterested in\r\n“creating problems for society”, and unaffiliated with any governments. The RaaS model makes it difficult for\r\nhttps://geminiadvisory.io/who-is-darkside/\r\nPage 2 of 5\n\ngroups like DarkSide to predict their cybercriminal clients’ ransomware targets, and this statement indicates\r\nDarkSide’s aversion to the attention of such a high-profile attack. It remains unclear if the group will release the\r\ndatabase of its latest victim or if it will attempt to backtrack, given the disturbingly high-profile nature of its recent\r\nattack.\r\nAdditionally, the actor has indicated that its ransomware can work with Windows and Linux OS and has a\r\nconvenient admin panel with various functions, including managing the distribution and withdrawal of funds via\r\nBTC or XMR (Bitcoin or Monero), generating builds and decryptors, online chat, and more.\r\nDarksupp advertising private cryptolocker\r\nImage 2: “darksupp” advertising private cryptolocker.\r\nAttack Vectors\r\nSince the DarkSide ransomware is advertised as a RaaS, actors renting the ransomware could use various attack\r\nvectors, ranging from phishing campaigns to exploiting vulnerable internet-facing applications. After gaining\r\naccess to a victim’s internal network, DarkSide operators establish an RDP connection with its command-and-control server through port 443 (HTTPS), routing internet traffic through the Tor anonymous network. In addition,\r\nDarkSide uses one of Cobalt Strike’s payload generation mechanisms called “Beacon” to establish a command-and-control mechanism as an additional backdoor on internal hosts.\r\nTo conduct reconnaissance on the internal network, run commands, dump processes, and steal credentials,\r\nattackers use tools such as Advanced IP Scanner, PSExec, Mimikatz, but are not limited to these alone.\r\nWith a complete understanding of the network and internal resources, the DarkSide ransomware operators inject a\r\nmalicious ransomware executable into an existing system process via CMD commands, after which several\r\npreparatory procedures take place: detecting the presence of anti-forensics and anti-debugging mechanisms,\r\nremoving Shadow Volume Copies and stopping system processes that can interfere with encryption. After that\r\nencryption is performed using the Salsa20 + RSA1024 for Windows OS and ChaCha20 + RSA4096 for Linux OS\r\ncryptographic algorithms by adding an 8-character extension to the encrypted files and leaving a ransom note\r\ntitled “REDME.victimsID.text”.\r\nExtortion Tactics\r\nDarkSide uses “double extortion” tactics, a method in which attackers first download the victim’s database and\r\nthen encrypt all of the data on the victim’s network. The team uses the DarkSide Leaks blog to intimidate\r\ncompanies that refused to pay the ransom by threatening to make the database publicly available. According to the\r\nmessage generated by the ransomware on victim computers, DarkSide’s data leaks site creates a unique link for\r\neach victim along with a unique key. Upon entering the key in the required field, the ransom amount and\r\nBTC/XMR wallets appear for the victims, who also have an online chat feature for support and possible\r\nnegotiations.\r\nhttps://geminiadvisory.io/who-is-darkside/\r\nPage 3 of 5\n\nIn a creative nascent scheme, DarkSide offered to notify stock market investors before leaking confidential stolen\r\ndata. These investors could then short the target company’s stock in anticipation of a drop in its share price\r\nfollowing publicity about the breach and leaked data. While the risks to participating investors running afoul of\r\nthe Securities and Exchange Commission (SEC) would be high and the rewards likely low, this scheme\r\ndemonstrates DarkSide’s innovative nature. It also demonstrates DarkSide’s aggressive exploitation of the same\r\ntarget, first encrypting a victim’s data, then threatening to publicly release that data, then deploying DDoS attacks,\r\nand finally attempting to exploit the victim’s stock prices.\r\nVictims\r\nAs of this writing, the home page of DarkSide Leaks contains news about more than 80 entities that have become\r\nvictims of the ransomware, although the true number is likely greater. Below are some of the most notable victims\r\nreferenced on DarkSide Leaks:\r\nAugust 2020 – Brookfield Asset Management Inc.\r\nOctober 2020 – Mestek\r\nNovember 2020 – Automation Personnel Services, Forbes Energy Services\r\nJanuary 2021 – Aaronson Rappaport Feinstein \u0026 Deutsch, LLP\r\nFebruary 2021 – Oak Valley Community Bank, Centrais Eletricas Brasileiras, Companhia Paranaense de\r\nEnergia\r\nMarch 2021 – Indonesia Eximbank\r\nMay 2021 – Colonial Pipeline\r\nThe Colonial Pipeline is DarkSide’s most notable target, given the highly public nature of the hack’s damages and\r\nthe effect on critical US infrastructure. While many hacking groups (including DarkSide) have been wary of\r\nattracting US law enforcement’s attention in attacks as brazen as this one, the US response to this attack will likely\r\nsignal the severity of the consequences to hacking groups across the dark web. This may serve as either a deterrent\r\nor an incentive to attempting similar attacks of this scale.\r\nConclusion\r\nThe DarkSide ransomware group is notable for its professionalism. While many other RaaS groups exist,\r\nDarkSide stands out for its attention to its product, including consistent modifications and quality upgrades. Its\r\ncustomer service feature for hacking victims is intended to allow ransom transactions to resolve as smoothly as\r\npossible, which is a far cry from the gloating and insulting ransom messages in the early days of ransomware.\r\nDarkSide’s “code of ethics” designating certain industries off-limits also demonstrates closer attention to the\r\ngroup’s clients than many of its peer gangs. Its ability to cover its tracks through sophisticated tactics, techniques,\r\nand procedures (TTPs) has allowed it to maintain a relatively opaque presence until recently, when the Colonial\r\nPipeline attack brought it into the news. This professionalism makes DarkSide a particularly dangerous and\r\ncapable ransomware group, although the full fallout from a highly public attack on critical American infrastructure\r\nremains to be seen.\r\nUpdate 05/14/2021\r\nhttps://geminiadvisory.io/who-is-darkside/\r\nPage 4 of 5\n\nAs of May 14, several credible underground sources have claimed that the DarkSide ransomware group no longer\r\nhas a presence on the dark web. It purportedly no longer has access to its servers and control panel. Additionally,\r\none of the top-tier forums on which DarkSide operated has imposed sanctions against all ransomware groups,\r\nbanning them from the forum entirely. The other top-tier forum deleted the account darksupp and two threads\r\nabout its ransomware. Two unrelated ransomware groups, “Avaddon” and “REvil”, have additionally included\r\nnew conditions for their RaaS clients that forbid them from targeting certain entities. These developments suggest\r\nthat the consequences for hitting such a high-profile target may be uncharacteristically severe.\r\nGemini Advisory Mission Statement\r\nGemini Advisory provides actionable fraud intelligence to the largest financial organizations in an effort to\r\nmitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help\r\nidentify and isolate assets targeted by fraudsters and online criminals in real-time.\r\nSource: https://geminiadvisory.io/who-is-darkside/\r\nhttps://geminiadvisory.io/who-is-darkside/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://geminiadvisory.io/who-is-darkside/"
	],
	"report_names": [
		"who-is-darkside"
	],
	"threat_actors": [],
	"ts_created_at": 1775434935,
	"ts_updated_at": 1775826714,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1228f709606f262d667713388046c129ac3a6f9b.pdf",
		"text": "https://archive.orkl.eu/1228f709606f262d667713388046c129ac3a6f9b.txt",
		"img": "https://archive.orkl.eu/1228f709606f262d667713388046c129ac3a6f9b.jpg"
	}
}