{
	"id": "c7185d00-fbd2-411a-be5a-f0f8da47d0e3",
	"created_at": "2026-04-06T00:07:41.736568Z",
	"updated_at": "2026-04-10T03:20:34.617338Z",
	"deleted_at": null,
	"sha1_hash": "945098af6e330e6c66d799379f3e5e2c98d20acd",
	"title": "DarkSide ransomware explained: How it works and who is behind it",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 57820,
	"plain_text": "DarkSide ransomware explained: How it works and who is behind\r\nit\r\nBy by Lucian Constantin CSO Senior Writer\r\nPublished: 2021-05-13 · Archived: 2026-04-05 18:27:12 UTC\r\nThe Colonial Pipeline attack thrust the DarkSide ransomware into the spotlight.\r\nThis is what's known about the threat actors and how they operate.\r\nDarkSide is a ransomware threat that has been in operation since at least August 2020 and was used in a\r\ncyberattack against Georgia-based Colonial Pipeline, leading to a major fuel supply disruption along the East\r\nCoast of the US. The malware is offered as a service to different cybercriminals through an affiliate program and,\r\nlike other prolific ransomware threats, employs double extortion that combines file encryption with data theft and\r\nis deployed on compromised networks using manual hacking techniques.\r\nIn a recent report, researchers from threat intelligence firm Flashpoint said they believe “that the threat actors\r\nbehind DarkSide ransomware are of Russian origin and are likely former affiliates of the REvil RaaS\r\n[ransomware-as-a-service] group.” \r\nA PR savvy group that claims moral principles\r\nResearchers believe that the DarkSide creators initially ran all their targeted attack campaigns themselves, but\r\nafter a few months they started making their ransomware available to other groups and marketed it on Russian-language underground forums. In their launch announcement they claimed to have already made millions of\r\ndollars in profits by partnering with other well-known cryptolockers (ransomware programs) in the past.\r\nThe group encourages news reporters to register on its website to receive advance information about breaches and\r\nnon-public information and promises fast 24-hour replies to any media questions. They also invited data\r\ndecryption companies to partner with them to help victims that don’t have large IT departments decrypt their data\r\nafter they pay.\r\nThe group also claims that it doesn’t attack medical facilities, COVID vaccine research and distribution\r\ncompanies, funeral services, non-profit organizations, educational institutions, or government organizations\r\nbecause of its “principles.”\r\nFollowing the attack on Colonial Pipeline, the group issued a statement saying that going forward it will review\r\nvictims that its affiliates compromised and whose data they intend to encrypt:\r\n“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined government\r\nand look for other our motives. Our goal is to make money, and not creating problems for society. From\r\ntoday we introduce moderation and check each company that our partners want to encrypt to avoid\r\nsocial consequences in the future.” [sic]\r\nhttps://www.csoonline.com/article/3618688/darkside-ransomware-explained-how-it-works-and-who-is-behind-it.html\r\nPage 1 of 3\n\nIn October, the group also claimed that it is donating a portion of the extorted funds to charities and posted proof\r\nof two $10,000 donations.\r\nBased on these communications, it’s clear that the group wants and knows how to attract attention to itself and its\r\nactivities, likely in an attempt to gain more affiliates, but researchers warn that their claims have not been proven\r\nand are actually deceptive. For example, if it’s proven that charities received money obtained from illegal\r\nactivities, those funds will be seized or returned. Even though the group said it doesn’t attack educational\r\ninstitutions, it did attack one company that processed data from schools. When the company declined to pay the\r\nransom, the attackers emailed the impacted schools to put pressure on the victim organization by warning them\r\nthat the personal information of children and school employees might be leaked.\r\nThe claims about donations and not targeting certain types of organizations have not been verified and “should be\r\nmet with a heightened degree of scrutiny; these DarkSide operators would be far from the first cybercriminals to\r\nmake such claims and not follow through,” Flashpoint researchers said.\r\nHow DarkSide compromises networks\r\nDarkSide and its affiliates follow the same human-operated model of ransomware deployment as other prolific\r\nransomware groups that have plagued businesses in recent years. This means attackers gain access to networks\r\nthrough a variety of methods, including stolen credentials followed by manual hacking techniques and using a\r\nvariety of system administration or penetration testing tools to perform lateral movement.\r\nThe goal is to map the network to identify critical servers, escalate privileges, obtain domain administrative\r\ncredentials, disable and delete backups, exfiltrate sensitive data and only when the terrain is all set, deploy the\r\nransomware to as many systems as possible in one go. This careful and methodical approach is much more\r\neffective and hard to defend against than ransomware programs that propagate automatically through networks by\r\nusing built-in routines that might fail and trip detection mechanisms.\r\n“With respect to DarkSide’s affiliates, there is overlap in how the ransomware was delivered, including affiliates\r\ngaining initial network access by exploiting vulnerable software like Citrix, Remote Desktop Web (RDWeb), or\r\nremote desktop protocol (RDP), performing lateral movement, and exfiltrating sensitive data before ultimately\r\ndeploying ransomware,” researchers from security firm Intel471 said in a report.\r\nEvery DarkSide affiliate could employ different tactics to gain the initial foothold. These are similar to the\r\ntechniques used by other ransomware groups: buying stolen credentials from underground markets, performing\r\nbrute-force password guessing or credential stuffing attacks, buying access to machines that are already infected\r\nwith botnet malware such as Dridex, TrickBot or Zloader, or sending emails with malicious attachments that\r\ndeploy some type of lightweight malware loader.\r\nOne DarkSide actor observed by Intel471 sourced initial access credentials from a network access broker then\r\nused the Mega.nz file-sharing service to exfiltrate data, used a PowerShell backdoor to persist in the network and\r\ndeployed the KPOT information-stealing malware alongside the DarkSide ransomware. Another affiliate openly\r\nrecruited “penetration testers” to use VPNs and the already-obtained network access to perform lateral movement\r\nand deploy the ransomware.\r\nhttps://www.csoonline.com/article/3618688/darkside-ransomware-explained-how-it-works-and-who-is-behind-it.html\r\nPage 2 of 3\n\nThird-party and open-source tools commonly used for lateral movement activities include PowerShell scripts, the\r\nCobalt Strike and Metasploit penetration testing frameworks, the Mimikatz password dumping tool, and the\r\nBloodHound visualization tool that can help attackers discover obscure attack paths and relationships to exploit in\r\nActive Directory environments. Tools that are already part of Windows like Certutil.exe and Bitsadmin.exe are\r\nalso abused.\r\nThis living-off-the-land approach that includes the use of valid credentials and tools that are also employed by\r\nsystem admins and network defenders makes these human-operated ransomware attacks hard to detect without\r\nadvanced network monitoring.\r\nHow the DarkSide ransomware routine works \r\nThe DarkSide ransomware itself uses Salsa20 and RSA-1024 to encrypt victims’ files and reportedly also has a\r\nLinux version. When deployed on Windows, the malware first checks the system’s language setting and if it’s the\r\nlanguage of a country located in the former Soviet Bloc or its sphere of influence, it avoids encrypting the data.\r\nThis is typical of malware created by groups who are based in the region and who want to avoid attracting the\r\nattention of local authorities by not hitting local organizations.\r\nAccording to researchers from Cybereason, the malware then stops services that contain the following terms in\r\ntheir names: vss, sql, svc, memtas, mepocs, sophos, veeam or backup. These are processes related to backup\r\noperations, like the Windows Volume Shadow Copy Service (VSS) or security products. It then proceeds to\r\nenumerate running processes and terminates them so it can unlock the files they were accessing to encrypt them. It\r\nalso uses a PowerShell command to delete all volume shadow copies already created and which could be used to\r\nrestore files.\r\nThe DarkSide ransomware creates a unique ID for every victim and adds it to the file extension for the encrypted\r\nfiles. The ransom amounts can vary significantly from a few hundred thousand dollars to millions depending on\r\nwhat the attackers determined is the victim’s size and its annual income.\r\n“In March 2021, the developer rolled out a number of new features in an effort to attract new affiliates,”\r\nresearchers from Intel471 said. “These included versions for targeting Microsoft Windows and Linux based\r\nsystems, enhanced encryption settings, a full-fledged and integrated feature built directly into the management\r\npanel that enabled affiliates to arrange calls meant to pressure victims into paying ransoms, and a way to launch a\r\ndistributed denial-of-service (DDoS).”\r\nSource: https://www.csoonline.com/article/3618688/darkside-ransomware-explained-how-it-works-and-who-is-behind-it.html\r\nhttps://www.csoonline.com/article/3618688/darkside-ransomware-explained-how-it-works-and-who-is-behind-it.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.csoonline.com/article/3618688/darkside-ransomware-explained-how-it-works-and-who-is-behind-it.html"
	],
	"report_names": [
		"darkside-ransomware-explained-how-it-works-and-who-is-behind-it.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434061,
	"ts_updated_at": 1775791234,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/945098af6e330e6c66d799379f3e5e2c98d20acd.pdf",
		"text": "https://archive.orkl.eu/945098af6e330e6c66d799379f3e5e2c98d20acd.txt",
		"img": "https://archive.orkl.eu/945098af6e330e6c66d799379f3e5e2c98d20acd.jpg"
	}
}