{
	"id": "31260842-fc57-423d-940a-d0d244434b72",
	"created_at": "2026-04-06T00:09:39.497743Z",
	"updated_at": "2026-04-10T03:21:45.550275Z",
	"deleted_at": null,
	"sha1_hash": "8d564a41bec44f41af63c2097b8b04b69a7bd1fa",
	"title": "DarkSide Ransomware Links to REvil Group Difficult to Dismiss",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 77306,
	"plain_text": "DarkSide Ransomware Links to REvil Group Difficult to Dismiss\r\nBy Flashpoint\r\nPublished: 2021-05-11 · Archived: 2026-04-05 18:20:40 UTC\r\nKey Takeaways from Recent DarkSide Ransomware Events:\r\n1. On May 10, 2021, the U.S. Federal Bureau of Investigation (FBI) issued a statement confirming that “the\r\nDarkSide ransomware is responsible for the compromise of the Colonial Pipeline networks,” with its\r\npipeline systems taken offline since Friday, May 7, 2021.\r\n2. “DarkSide” is a ransomware strain that was originally developed by Russian-speaking threat actors and has\r\nbeen active since August 2020. The ransomware is highly customized, designed to target large corporations\r\nin select industry verticals, particularly those in finance, technology, and manufacturing.\r\n3. Flashpoint assesses with moderate confidence that the ransomware is a variant of “REvil” ransomware and\r\nis based on its code.\r\n4. DarkSide ransom payment demands range widely from $200,000 to $2,000,000, depending on the size and\r\npossibly other associated characteristics of the targeted organization.\r\n5. When DarkSide victims refuse to pay the ransom demand, the ransomware group follows through on its\r\nthreat, releasing victims’ sensitive data on publicly visible websites\r\nWhat Is DarkSide Ransomware and Where Did It Come From?\r\nThe first report of a DarkSide ransomware attack came on August 10, 2020, with even early reports finding the\r\nransomware to be highly customized with lucrative, million-dollar payouts from large corporate targets in finance,\r\ntechnology, and manufacturing industries. On that same day, August 10th, the DarkSide actors launched their\r\nassociated DarkSide website on Tor.\r\nhttps://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/\r\nPage 1 of 3\n\nDarkSide uses Salsa20 and RSA-1024 to encrypt victims’ files on Windows OS. It also allegedly comes in a\r\nversion for Linux, although no samples are publicly available. The Linux version is said to be written in C++ and\r\nto use ChaCha20 and RSA-4096 for file encryption.\r\nVarious industry reports suggest that the ransomware not only encrypts victims data, but also propagates laterally\r\non the network and steals sensitive information from affected machines. If victims refuse to pay, their data is\r\nposted publicly on the DarkSide Tor website and offered for download. Although there is no publicly available\r\ninformation about the infection vector, because the attacks are highly specific, compromised Remote Desktop\r\nProtocol (RDP) servers and custom phishing attacks are two highly plausible options. \r\nLearn more about Flashpoint Threat Response and Readiness offerings and how Flashpoint prepares and\r\nactively supports organizations to respond to any ransomware attack.\r\nOperators Quickly Expand DarkSide to Ransomware-as-a-Service (RaaS) Model\r\nThe first DarkSide ransomware attacks were all owner-operated, but after a few successful months, the owners\r\nbegan to expand their operations. On November 10, DarkSide operators announced on Russian-language forums\r\nXSS and Exploit the formation of their new DarkSide affiliate program providing partners with a modified form\r\nof their DarkSide ransomware to make use in their own operations. \r\nIt’s worth noting that DarkSide actors have pledged in the past to not attack organizations in the medical,\r\neducation, nonprofit, or government sectors. At one point, they also advertised that they donate a portion of their\r\nprofit to charities. However, neither claim has been verified and should be met with a heightened degree of\r\nscrutiny; these DarkSide operators would be far from the first cybercriminals to make such claims and not follow\r\nthrough.\r\nDarkSide Operators Likely Former “REvil” Affiliates\r\nFlashpoint assesses with moderate confidence that the threat actors behind DarkSide ransomware are of Russian\r\norigin and are likely former affiliates of the “REvil” RaaS group. Several facts support this attribution:\r\nSpelling mistakes in the ransom note and grammatical constructs of the sentences suggest that the writers\r\nare not native English speakers.\r\nThe malware checks the default language of the system to avoid infecting systems based in the countries of\r\nthe former Soviet Union.\r\nThe design of the ransom note, wallpaper, file encryption extension and details, and inner workings bear\r\nsimilarities to “REvil” ransomware, which is of Russian origin and has an extensive affiliate program. This\r\nshows the evolution path of this ransomware and ties it to other Russian-origin ransomware families.\r\nThe affiliate program is offered on Russian-language forums XSS and Exploit.\r\nPrepare for Ransomware with Flashpoint\r\nRequest a demo today and see firsthand how Flashpoint’s Threat Response and Readiness offerings ensure your\r\nentire team is prepped and able to respond to any ransomware attack. And when equipped with Flashpoint\r\nhttps://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/\r\nPage 2 of 3\n\nIntelligence Platform and our dedicated, prebuilt ransomware dashboards, you move a step ahead of ransomware\r\nattacks and the cybercriminal groups who use them.\r\nSource: https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/\r\nhttps://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/"
	],
	"report_names": [
		"darkside-ransomware-links-to-revil-difficult-to-dismiss"
	],
	"threat_actors": [],
	"ts_created_at": 1775434179,
	"ts_updated_at": 1775791305,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8d564a41bec44f41af63c2097b8b04b69a7bd1fa.pdf",
		"text": "https://archive.orkl.eu/8d564a41bec44f41af63c2097b8b04b69a7bd1fa.txt",
		"img": "https://archive.orkl.eu/8d564a41bec44f41af63c2097b8b04b69a7bd1fa.jpg"
	}
}