{
	"id": "93b67b78-a80b-4d86-9d83-5619badc4292",
	"created_at": "2026-04-06T00:10:10.104419Z",
	"updated_at": "2026-04-10T03:21:52.282481Z",
	"deleted_at": null,
	"sha1_hash": "640cd27ead0a52fa23f3763b4c11eb16511015a8",
	"title": "Here’s what we know about DarkSide ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 38170,
	"plain_text": "Here’s what we know about DarkSide ransomware\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 13:59:46 UTC\r\nWith the ransomware incident that shut down a major fuel pipeline in the United States, another well-known\r\nvariant on the cybercrime underground has been thrust into the international spotlight.\r\nOn May 10, 2021, the U.S. Federal Bureau of Investigation announced the attack on Colonial Pipeline was caused\r\nby the DarkSide ransomware variant, which forced the company to halt the pipeline’s operations so Colonial could\r\ncarry out a full investigation into the event. While the general public may be hearing DarkSide’s name for the first\r\ntime, Intel 471 has been tracking those associated with the variant since they first announced their products to the\r\ncybercrime underground last year.\r\nThe following is an examination of how DarkSide rose to prominence among cybercriminals — which Intel 471\r\nhas been tracking since they emerged in the underground — in an ecosystem that is teeming with actors looking\r\nfor new ways to extort businesses out of their money.\r\nWhile spotted in the wild as far back as August 2020, DarkSide’s developer “debuted” the ransomware on the\r\npopular Russian-language hacker forum XSS in November 2020, advertising that he was looking for partners in\r\nan attempt to adopt an affiliate “as-a-service” model. Soon after, the ransomware was spotted to be behind\r\nnumerous attacks, including several incidents targeting manufacturers and law firms in Europe and the United\r\nStates.\r\nIn March 2021, the developer rolled out a number of new features in an effort to attract new affiliates. These\r\nincluded versions for targeting Microsoft Windows and Linux based systems, enhanced encryption settings, a full-fledged and integrated feature built directly into the management panel that enabled affiliates to arrange calls\r\nmeant to pressure victims into paying ransoms, and a way to launch a distributed denial-of-service (DDoS).\r\nWith respect to DarkSide’s affiliates, there is overlap in how the ransomware was delivered, including affiliates\r\ngaining initial network access by exploiting vulnerable software like Citrix, Remote Desktop Web (RDWeb), or\r\nremote desktop protocol (RDP), performing lateral movement, and exfiltrating sensitive data before ultimately\r\ndeploying ransomware.\r\nFor initial access to networks, actors usually purchased access credentials on underground forums, conducted\r\nbrute-force attacks, used spam campaigns to spread malware loaders and/or bought access to popular botnets such\r\nas Dridex, TrickBot and ZLoader. As for post-exploitation tools, the arsenal usually included Cobalt Strike and\r\nMetasploit frameworks, Mimikatz and BloodHound.\r\nSome of the tactics, techniques and procedures that Intel 471 has observed from DarkSide affiliates:\r\nOne prominent actor partnered with network access brokers to source initial access credentials, used the\r\nMega.nz file-sharing service to exfiltrate data from victims, leveraged a PowerShell backdoor for\r\nhttps://www.intel471.com/blog/darkside-ransomware-colonial-pipeline-attack\r\nPage 1 of 2\n\nreconnaissance and persistence within corporate networks, and also operating the KPOT information-stealing malware in conjunction with deploying DarkSide.\r\nAnother actor recruited penetration testers to use VPNs in conjunctions already-obtained network access,\r\nallowing attackers to move laterally within the network, exfiltrate sensitive data and deploy ransomware.\r\nDarkSide operators did not take responsibility for the Colonial Pipeline attack or publicly dump any data\r\nbelonging to the company at the time of this report. However, on May 10, 2021, the group released an\r\nannouncement alluding to its possible involvement in the attack. The operators pledged in the announcement that\r\nthey will introduce “moderation” in the future by carefully checking each company DarkSide affiliates want to\r\nencrypt “to avoid social consequences in the future.” Operators also claimed that the group is strictly motivated by\r\nmoney, and not affiliated with any government apparatus.\r\nThis is not the first time DarkSide operators have tried to put PR spin on their actions. In October, the group\r\nannounced on its blog that it would donate a portion of the collected ransoms to Children International, non-profit\r\nchild sponsorship organization dedicated to fighting poverty, and The Water Project, a non-profit aiming to\r\nprovide clean water to countries in sub-Saharan Africa.\r\n\"We think it's fair that some of the money they've paid will go to charity,” the entry on the blog site read. “No\r\nmatter how bad you think our work is, we are pleased to know that we helped change someone's life.\"\r\nIt is unknown if DarkSide continued to fund the charities outside of their initial donation.\r\nThe popularity and increasing maturity of the ransomware-as-a-service model combined with the aging systems\r\nthat control energy systems is a compounding problem. As threat actors continue to observe ransomware’s\r\noperational success, more cybercriminals likely will want to get in on the action due to its thriving sub-industries\r\n(i.e. access brokers, credential shops, and bulletproof hosting) and higher returns when compared other crimes (i.e.\r\ntargeting bank accounts). It’s imperative that companies responsible for critical infrastructure understand that\r\ninsecure systems present a juicy ransomware target to the cybercriminal underground, and proactive defenses will\r\ngo a long way in preventing future incidents like what happened with Colonial Pipeline.\r\nSource: https://www.intel471.com/blog/darkside-ransomware-colonial-pipeline-attack\r\nhttps://www.intel471.com/blog/darkside-ransomware-colonial-pipeline-attack\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.intel471.com/blog/darkside-ransomware-colonial-pipeline-attack"
	],
	"report_names": [
		"darkside-ransomware-colonial-pipeline-attack"
	],
	"threat_actors": [],
	"ts_created_at": 1775434210,
	"ts_updated_at": 1775791312,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/640cd27ead0a52fa23f3763b4c11eb16511015a8.pdf",
		"text": "https://archive.orkl.eu/640cd27ead0a52fa23f3763b4c11eb16511015a8.txt",
		"img": "https://archive.orkl.eu/640cd27ead0a52fa23f3763b4c11eb16511015a8.jpg"
	}
}