{
	"id": "c120a332-b9aa-4dd5-a8e1-7962a3fe2235",
	"created_at": "2026-04-06T00:15:20.901822Z",
	"updated_at": "2026-04-10T13:12:14.870314Z",
	"deleted_at": null,
	"sha1_hash": "2dc345201332a207a542f1cd2f44e4fc38f8ef6f",
	"title": "DarkSide Ransomware Gang: An Overview",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 88415,
	"plain_text": "DarkSide Ransomware Gang: An Overview\r\nBy Ramarcus Baylor\r\nPublished: 2021-05-12 · Archived: 2026-04-05 13:07:21 UTC\r\nExecutive Summary\r\nIt took an attack on a major U.S. pipeline company, and the possibility of disruption in the delivery of gasoline\r\nand jet fuel supplies to a large part of the country, to show the world that ransomware attackers are not going to\r\nrest on their laurels after shaking down municipal governments, school districts and hospitals.\r\nDarkSide became one of the world’s most well-known hacking groups after the FBI confirmed it is responsible for\r\nthe highly publicized attack. When a shadowy group can sit halfway across the world and, with a few keystrokes,\r\nthreaten fuel supplies on the U.S. Eastern Seaboard, then people do begin to take notice.\r\nThe impact of this attack is a reflection of the fact that ransomware operators are always on the move – improving,\r\nautomating and becoming more effective at targeting larger and larger organizations. And they’re getting a lot\r\nmore money for their efforts. The average cyber ransom paid more than doubled in 2020 – to $312,493 –\r\ncompared to 2019, according to the 2021 Unit 42 Ransomware Threat Report. So far in 2021, the average\r\npayment has nearly tripled compared to the previous year – to about $850,000.\r\nDarkSide has helped boost those averages by constantly focusing on ways to optimize its business model in the\r\nshort time it’s been active (we first encountered the group about a year ago). Like other leading ransomware\r\ngangs, DarkSide recently embraced the Ransomware-as-a-Service (RaaS) model. It outsourced code development,\r\ninfrastructure and operations and turned to the dark web to recruit new staff. As a result, the group can now better\r\nfocus on getting to know victims and targeting the most valuable types of data at each organization, so it can\r\nextract the largest-possible ransom and boost the return on investment in its criminal businesses.\r\nThe group started getting the attention of Unit 42 responders around October 2020. Since then, we’ve been finding\r\nits fingerprints in a growing number of cases. What makes DarkSide stand out is that the group has shown\r\ndiscipline we've traditionally only seen with nation-state actors – once the threat actors are in, they really dig in.\r\nThat said, researchers have noted DarkSide is likely a criminal network operating out of Russia; no one has yet\r\ndirectly connected this to the Russian government.\r\nIt is interesting to note that back in November, one ransomware negotiation firm placed the DarkSide operation on\r\nan internal restricted list after it announced plans to host infrastructure in Iran – because Iran is under U.S.\r\nsanctions, facilitating payments to that location might run afoul of the law.\r\nWherever they may be, there are indications that DarkSide attackers are highly experienced and accomplished in\r\nmounting ransomware attacks. They clearly operate at the high end of the ransomware ecosystem, focusing on a\r\nsmaller pool of victims from whom they can extract steep ransoms.\r\nPalo Alto Networks customers are protected from this threat by:\r\nhttps://unit42.paloaltonetworks.com/darkside-ransomware/\r\nPage 1 of 7\n\nWildFire: All known samples are identified as malware.\r\nCortex XDR with:\r\nindicators for DarkSide.\r\nAnti-Ransomware Module to detect DarkSide encryption behaviors.\r\nLocal Analysis detection to detect DarkSide binaries.\r\nCortex XSOAR: Cortex XSOAR’s ransomware content pack can immediately help incident response,\r\nthreat intelligence and SecOps teams to standardize and speed-up post-intrusion response processes. This\r\ncontent pack automates most of the ransomware response steps, allowing the incident response and SecOps\r\nteams to add their guidance and input.\r\nNext-Generation Firewalls: DNS Signatures detect the known command and control (C2) domains, which\r\nare also categorized as malware in URL Filtering.\r\nAutoFocus: Tracking related activity using the DarkSide tag.\r\nIf you think you may have been impacted, please email unit42-investigations@paloaltonetworks.com or call (855)\r\n875-4631 to get in touch with the Unit 42 Incident Response team.\r\nDoubling and Tripling Their Pressure\r\nThe DarkSide group is aggressive in pressuring victims to pay. The threat actors don’t like to be ignored. If\r\nvictims don’t respond within two or three days, they send threatening emails to employees. If that doesn’t work,\r\nthey start calling senior executives on mobile phones. And then they might threaten to start contacting customers\r\nor the press. And if that doesn’t work, they might launch DDoS to take down external websites.\r\nDarkSide is one of a growing number of ransomware operators that we have seen push the boundaries of their\r\ntrade to include these tactics, which we refer to as double and triple extortion (others include Maze, Sodin, Clop,\r\nNetWalker and Conti).\r\nThese aggressive techniques build on the pattern of a typical ransomware attack, in which files are encrypted and\r\na ransom is demanded to decrypt them and restore access. Some victims have backed up their data and do not see\r\na need to pay for decryption keys to restore access to corrupted systems. To prepare for that scenario, attackers\r\nalso exfiltrate sensitive information and study the victim’s network so they can up the ante if a target refuses to\r\npay. Then they threaten to release the data or launch a DDoS attack.\r\nDarkSide even purports to operate under a “code of conduct,” seeking to position the group as a trustworthy\r\nsecurity “partner.” When victims pay, the threat actors will do things to demonstrate good will including providing\r\ndecryption keys or presenting evidence that appears to show they have deleted stolen data. When asked, they will\r\nsometimes even tell victims how they got in so security gaps can be closed.\r\nDarkSide Ransomware: Tactics, Techniques and Procedures\r\nWe have seen the following software and tools leveraged by the DarkSide group to gain access to the victims’\r\ndata:\r\nLegitimate remote monitoring and management (RMM) tools to maintain access into a victim’s\r\nnetwork, such as AnyDesk and TeamViewer.\r\nhttps://unit42.paloaltonetworks.com/darkside-ransomware/\r\nPage 2 of 7\n\nReconnaissance tools (ADRecon) to gather information about victims' Active Directory prior to\r\nransomware encryption.\r\nA credential harvesting utility, Mimikatz, to dump password credentials.\r\nPowerShell to carry out objectives, such as to apply GPO to create a scheduled task to execute the\r\nransomware.\r\nPassword management utilities such as Dashlane and LastPass to gain access to additional credentials.\r\nUtilities such as SQLDumper.exe to target SQL Server.\r\nVictims’ internal messaging software to contact members of the IT staff.\r\nFile transferring software Rclone to exfiltrate data to cloud sharing websites (such as PCloud and\r\nMegaSync).\r\nNot many groups target non-Windows based systems, but in early 2021, DarkSide introduced an ESXI version of\r\ntheir ransomware that targets VMware virtual machines (VMs), which many organizations use to leverage server\r\nvirtualization to reduce operating costs and increase IT productivity.\r\nWhy does this matter? While we found that in many cases the client’s endpoint security did its job protecting\r\nWindows PCs from being encrypted, because the servers were heavily virtualized through VMware’s ESXI, the\r\nESXI version of the ransomware made it possible for the DarkSide group to encrypt the virtual infrastructure. The\r\nthreat actors then essentially shut down applications and services, such as file shares, DNS and email, leaving the\r\nvictims’ networks in a deteriorated state or, worse, not functional.\r\nWhat Can We Learn From This?\r\nWe’ve been noting for some time that ransomware attackers are becoming increasingly professionalized,\r\noutsourcing code development, infrastructure and C2 operations, as well as operating RaaS. Many of them are\r\norganized enough to respond to media inquiries and operate victim hotlines.\r\nAs these threat actors continue to up their game, organizations need to follow best practices to safeguard their data\r\nand protect against groups such as the DarkSide ransomware gang.\r\nOrganizations should also make sure to have an incident response plan in place in case of an attack. Unit 42 offers\r\na Ransomware Readiness Assessment to help organizations get started on bolstering defenses.\r\nPalo Alto Networks customers are protected from this threat by:\r\nWildFire: All known samples are identified as malware.\r\nCortex XDR with:\r\nindicators for DarkSide.\r\nAnti-Ransomware Module to detect DarkSide encryption behaviors.\r\nLocal Analysis detection to detect DarkSide binaries.\r\nCortex XSOAR: Cortex XSOAR’s ransomware content pack can immediately help incident response,\r\nthreat intelligence and SecOps teams to standardize and speed-up post-intrusion response processes. This\r\ncontent pack automates most of the ransomware response steps, allowing the incident response and SecOps\r\nteams to add their guidance and input.\r\nhttps://unit42.paloaltonetworks.com/darkside-ransomware/\r\nPage 3 of 7\n\nNext-Generation Firewalls: DNS Signatures detect the known command and control (C2) domains, which\r\nare also categorized as malware in URL Filtering.\r\nAutoFocus: Tracking related activity using the DarkSide tag.\r\nIOCs\r\nIndicators associated with Darkside are available on GitHub, have been published to the Unit 42 TAXII feed and\r\nare viewable via the ATOM Viewer.\r\nCourses of Action\r\nThis section documents relevant tactics, techniques and procedures (TTPs) used with DarkSide and maps them\r\ndirectly to Palo Alto Networks product(s) and service(s). It also further instructs customers on how to ensure their\r\ndevices are configured correctly.\r\nProduct / Service Course of Action\r\nInitial Access, Lateral Movement, Command and Control, Execution, Exfiltration, Persistence,\r\nCollection, Privilege Escalation, Discovery, Defense Evasion\r\nExploit Public-Facing Application [T1190], External Remote Services [T1133], Remote Desktop\r\nProtocol [T1021.001], Web Protocols [T1071.001], Multi-hop Proxy [T1090.003], Valid Accounts\r\n[T1078], Phishing [T1566], PowerShell [T1059.001], Automated Exfiltration [T1020], Scheduled Task\r\n[T1053.005], Archive Collected Data [T1560], Automated Collection [T1119], Bypass User Account\r\nControl [T1548.002], Account Discovery [T1087] Modify Registry [T1112]\r\nNGFW Ensure application security policies exist when allowing traffic from an untrusted zone\r\nto a more trusted zone\r\nEnsure 'Service setting of ANY' in a security policy allowing traffic does not exist\r\nEnsure 'Security Policy' denying any/all traffic to/from IP addresses on Trusted Threat\r\nIntelligence Sources Exists\r\nEnsure that User-ID is only enabled for internal trusted interfaces\r\nEnsure that 'Include/Exclude Networks' is used if User-ID is enabled\r\nEnsure that the User-ID Agent has minimal permissions if User-ID is enabled\r\nEnsure that the User-ID service account does not have interactive logon rights\r\nEnsure remote access capabilities for the User-ID service account are forbidden\r\nEnsure that security policies restrict User-ID Agent traffic from crossing into untrusted\r\nzones\r\nSet up File Blocking\r\nhttps://unit42.paloaltonetworks.com/darkside-ransomware/\r\nPage 4 of 7\n\nEnsure 'SSL Forward Proxy Policy' for traffic destined to the Internet is configured\r\nEnsure 'SSL Inbound Inspection' is required for all untrusted traffic destined for servers\r\nusing SSL or TLS\r\nEnsure that the Certificate used for Decryption is Trusted\r\nThreat Prevention\r\n†\r\nEnsure a Vulnerability Protection Profile is set to block attacks against critical and high\r\nvulnerabilities, and set to default on medium, low and informational vulnerabilities\r\nEnsure a secure Vulnerability Protection Profile is applied to all security rules allowing\r\ntraffic\r\nEnsure that antivirus profiles are set to block on all decoders except 'imap' and 'pop3'\r\nEnsure a secure antivirus profile is applied to all relevant security policies\r\nEnsure an anti-spyware profile is configured to block on all spyware severity levels,\r\ncategories, and threats\r\nEnsure DNS sinkholing is configured on all anti-spyware profiles in use\r\nEnsure passive DNS monitoring is set to enabled on all anti-spyware profiles in use\r\nEnsure a secure Anti-Spyware profile is applied to all security policies permitting traffic\r\nto the Internet\r\nEnsure that all zones have Zone Protection Profiles with all Reconnaissance Protection\r\nsettings enabled, tuned and set to appropriate actions\r\nEnsure that User Credential Submission uses the action of ‘block’ or ‘continue’ on the\r\nURL categories\r\nDNS Security † Enable DNS Security in Anti-Spyware profile\r\nURL Filtering †\r\nEnsure that URL Filtering is used\r\nEnsure that URL Filtering uses the action of ‘block’ or ‘override’ on the \u003centerprise\r\napproved value\u003e URL categories\r\nEnsure that access to every URL is logged\r\nEnsure all HTTP Header Logging options are enabled\r\nEnsure secure URL Filtering is enabled for all security policies allowing traffic to the\r\ninternet\r\nWildFire † Ensure that WildFire file size upload limits are maximized\r\nhttps://unit42.paloaltonetworks.com/darkside-ransomware/\r\nPage 5 of 7\n\nEnsure forwarding is enabled for all applications and file types in WildFire file blocking\r\nprofiles\r\nEnsure a WildFire Analysis profile is enabled for all security policies\r\nEnsure forwarding of decrypted content to WildFire is enabled\r\nEnsure all WildFire session information settings are enabled\r\nEnsure alerts are enabled for malicious files detected by WildFire\r\nEnsure 'WildFire Update Schedule' is set to download and install updates every minute\r\nCortex XSOAR\r\nDeploy XSOAR Playbook Cortex XDR - Isolate Endpoint\r\nDeploy XSOAR Playbook - Access Investigation Playbook\r\nDeploy XSOAR Playbook - Impossible Traveler\r\nDeploy XSOAR Playbook - Block Account Generic\r\nDeploy XSOAR Playbook - Block URL\r\nDeploy XSOAR Playbook - Palo Alto Networks - Hunting And Threat Detection\r\nDeploy XSOAR Playbook - PAN-OS Query Logs for Indicators\r\nDeploy XSOAR Playbook - Phishing Investigation - Generic V2\r\nDeploy XSOAR Playbook - Endpoint Malware Investigation\r\nCortex XDR\r\nConfigure Host Firewall Profile\r\nEnable Anti-Exploit Protection\r\nEnable Anti-Malware Protection\r\nLook for the following BIOCs alerts to detect activity*:\r\nCortex XDR Analytics - Possible LSASS memory dump\r\nCortex XDR Analytics - Unsigned process executed as a scheduled task\r\nCortex XDR Analytics - Connection to a TOR anonymization proxy\r\nCortex XDR Analytics - Dumping Registry hives with passwords\r\nDiscovery\r\nFile and Directory Discovery [T1083], Process Discovery [T1057]\r\nhttps://unit42.paloaltonetworks.com/darkside-ransomware/\r\nPage 6 of 7\n\nCortex XDR\r\nLook for the following BIOCs alerts to detect activity*:\r\nCortex XDR Analytics - Multiple Discovery Commands\r\nImpact\r\nService Stop [T1489], Inhibit System Recovery [T1490], Data Encrypted for Impact [T1486]\r\nCortex XDR\r\nLook for the following BIOCs alerts to detect activity*:\r\nManipulation of Volume Shadow Copy configuration\r\nCortex XSOAR Deploy XSOAR Playbook - Ransomware Manual\r\nTable 1. Courses of Action for Darkside ransomware.\r\n†These capabilities are part of the NGFW security subscriptions service.\r\n* These analytic detectors will trigger automatically for Cortex XDR Pro customers.\r\nTable of Contents\r\nExecutive Summary\r\nDoubling and Tripling Their Pressure\r\nDarkSide Ransomware: Tactics, Techniques and Procedures\r\nWhat Can We Learn From This?\r\nIOCs\r\nCourses of Action\r\nRelated Articles\r\nUnit 42 Ransomware and Extortion Report Highlights: Multi-Extortion Tactics Continue to Rise\r\nUnderstanding REvil: REvil Threat Actors May Have Returned (Updated)\r\n2022 Unit 42 Ransomware Threat Report Highlights: Ransomware Remains a Headliner\r\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/darkside-ransomware/\r\nhttps://unit42.paloaltonetworks.com/darkside-ransomware/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/darkside-ransomware/"
	],
	"report_names": [
		"darkside-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434520,
	"ts_updated_at": 1775826734,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2dc345201332a207a542f1cd2f44e4fc38f8ef6f.pdf",
		"text": "https://archive.orkl.eu/2dc345201332a207a542f1cd2f44e4fc38f8ef6f.txt",
		"img": "https://archive.orkl.eu/2dc345201332a207a542f1cd2f44e4fc38f8ef6f.jpg"
	}
}