{
	"id": "29a76ff0-20d1-41b5-b347-fce629574978",
	"created_at": "2026-04-11T02:22:32.899699Z",
	"updated_at": "2026-04-11T02:24:15.527722Z",
	"deleted_at": null,
	"sha1_hash": "d3bb6a33a6b2592825c1589621374014ede95141",
	"title": "A chat with DarkSide - DataBreaches.Net",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 255420,
	"plain_text": "A chat with DarkSide - DataBreaches.Net\r\nPublished: 2021-04-12 · Archived: 2026-04-11 02:22:17 UTC\r\nIf you would meet us on the street – you would never realize that we are cyberpests, because we are the\r\nsame normal people like everyone else. Many have families and children, the only thing that these\r\ncircumstances in which we found themselves in our country are. We have no hatred and desire to cause\r\ndamage, we perceive our business as any other, the ultimate goal of which is profit.\r\n — DarkSide\r\nOne of Darkside’s earlier notices.\r\nIn a recent article on BankInfoSecurity, Mathew J. Schwartz reports that ransomware threat actors have been on\r\nsomewhat of a “charm offensive” since last year, giving interviews to media.  Because this blogger has absolutely\r\nno hacking knowledge or skills, I would never try to do an actual technical interview with any threat actor. In fact,\r\ngiven my professional background, I have always been more interested in why and how threat actors make the\r\ndecisions they make — and how some seem to have absolutely no scruples or ethics about attacking some victims\r\nwhile others appear to develop some sort of ethics code. With those interests in mind,  DataBreaches.net recently\r\ninterviewed DarkSide operators about their approach to their ransomware operations and changes since they first\r\nemerged as DarkSide.\r\nhttps://www.databreaches.net/a-chat-with-darkside/\r\nPage 1 of 7\n\nIn August, 2020, when the ransomware group known as DarkSide introduced themselves via a press release on\r\ntheir web site, they made a point of immediately claiming that although their product might be new, they were not\r\nnew kids on the block:\r\nWe are a new product on the market, but that does not mean that we have no experience and we came\r\nfrom nowhere. We received millions of dollars profit by partnering with other well-known\r\ncryptolockers. We created DarkSide because we didn’t find the perfect product for us. Now we have it.\r\nTheir announcement also stated what kinds of entities they did not attack, and that they only attacked companies\r\nthat could pay the demanded amount — an amount they claim they determine by researching the companies they\r\nattack.\r\nTheir launch announcement was met with skepticism by some and outright scorn or ridicule by others, and Brian\r\nBarrett’s description of DarkSide as having a “veneer of professionalism” was somewhat understandable. But in\r\nsome respects, DarkSide has proved Barrett wrong.  They actually are more professional in their conduct than\r\nsome other ransomware groups, even though their conduct is certainly illegal and cruel to victims. And they have\r\nnot only kept their word about who they will not attack, but they actually expanded the exclusions.\r\nSo seven months after they announced their launch and then put their heads down and got to work, what, if\r\nanything, has changed for them?\r\n“Big-Game Hunters”\r\nLike other groups such as REvil, Ryuk, and DoppelPaymer, DarkSide is considered a “big-game hunter,” targeting\r\nlarger corporations that can afford to pay higher ransoms. DarkSide’s dedicated leak site currently lists Guess, the\r\nwell-known American clothing and fashion accessories retailer. Guess’s revenue last year was estimated at $2.68\r\nbillion. DarkSide claims to have exfiltrated more than 200 GB of data, and posted a number of samples as proof.\r\nDataBreaches.net does not know how much ransom DarkSide has demanded for the decryption key, but they\r\npublicly advise Guess:\r\nWe recommend using your insurance, which just covers this case. It will bring you four times more than\r\nyou spend on acquiring such a valuable experience.\r\nThat statement is consistent with DarkSide’s first press release in which they stated that they were not out to kill\r\ncompanies. It is also consistent with DarkSide’s explanation to DataBreaches.net in the interview recently\r\nconducted by email.  [Because of language issues, DarkSide would translate my e-mailed questions into Russian,\r\nanswer me in Russian, and then translate the answers back into English. With only one exception, that seemed to\r\nwork fairly decently]. One of the exchanges was:\r\nDataBreaches.net (DBN):  Do you ever demand more than what their cyberinsurance policy might cover?\r\nDarkSupp: Always before putting the amount of ransom, we study the internal reporting of the company\r\nand definitely understand how much they can really pay, all our partners work in the same way and we\r\nalways remind about it.  Basically, we do not require more than the amount of cyber insurance, but we can\r\nnot always check the actions of our partners.\r\nhttps://www.databreaches.net/a-chat-with-darkside/\r\nPage 2 of 7\n\nDBN:  Someone suggested that if companies didn’t have cyberinsurance, ransomware threat actors would lose\r\ninterest and just go away. Do you think that’s true?\r\nDarkSupp:  (no response or comment)\r\nFrom the files on their site, it would appear that Guess was attacked in February. Unlike some groups that reach\r\nout to media quickly to get coverage, DarkSide had not reached out about Guess or other victims. When asked\r\nabout how long they wait and what steps they take, they answered:\r\nDarkSupp: We act in stages and notify the press usually already when exactly sure that the\r\ncompany will not pay. As for [Guess and another company DBN had named] – I think the press\r\nwill see them.\r\nDBN: Do you notify the press to punish the companies for not paying or to try to pressure them more —\r\nor for both reasons?\r\nDarkSupp: For both reasons.\r\nDBN: Do you actually call targets on the phone like some others do? Do you ever contact targets’\r\ncustomers directly like CLOP seems to be doing about the Accellion breach?\r\nDarkSupp: Yes, a few weeks ago, we launched a balanced service of the calls to our victims, while\r\nwe call only our customers, but soon we also want to put pressure on their partners. A few days\r\nago, we launched DDOS of our targets (Layer 5 Layer 7), which significantly increased pressure\r\nand has already brought the first results.\r\nExclusions\r\nLike some other RaaS groups, DarkSide uses a popular Russian-language forum to advertise or recruit partners\r\nand to promote its service and updates to its product. A recent announcement in early March described a number\r\nof updates to the features and rates for partners, as well as seeking affiliates.  The announcement also repeated the\r\nrules about what was not permissible to attack:\r\n1. The following areas are prohibited:\r\n– Medicine (only: hospitals, hospitals, any palliative care organization, nursing homes,\r\ncompanies that develop and participate (largely at the supply chain level) in the distribution of\r\nthe COVID-19 vaccine).\r\n– Funeral services (Morgues, crematoria, funeral homes).\r\n– Education (Universities, schools).\r\n– Public sector (municipalities, any government bodies).\r\n– Non-profit organizations (charities, associations).\r\n2. Any actions that damage the reputation of the product are prohibited.\r\n3. Any work in the CIS (including Georgia, Ukraine) is prohibited.\r\n4. It is forbidden to transfer the account to third parties.\r\n5. It is forbidden to use other lockers in one project.\r\nhttps://www.databreaches.net/a-chat-with-darkside/\r\nPage 3 of 7\n\nThe list of excluded entities is what they had established in August, with one difference: funeral services\r\n(morgues, crematoria, and funeral homes) were added to the list.  When DataBreaches.net asked DarkSupp if they\r\nhad ever regretted attacking a target, they had replied:\r\nDarkSupp: Yes, for the actions of our partners. After that, a ban on blocking of morgues and crematoriums\r\nappeared.\r\nSo unlike what we saw with some entities refusing to commit to leaving medical entities alone or reneging on\r\npledges, DarkSide has consistently prohibited attacks on medical entities as defined in their rules. They also have\r\na more extensive exclusion list than any other group. [There will be some who argue, “So what? They are still\r\ncriminals.” Yes, they are, but DataBreaches.net believes in giving credit where it’s due, and if they stick to leaving\r\nmedical alone, I give them credit for that.]\r\nThat said, and while their intentions may sound noble in excluding medical, DataBreaches.net was surprised to\r\nlearn that DarkSide doesn’t consider medical targets likely to pay, as indicated in this exchange in the interview:\r\nDBN: You seem to have kept your word about leaving medical entities alone. Will you always leave medical,\r\nschools, and non-profits alone, or will that change when the pandemic ends?\r\nDarkSupp: There are several reasons why we do not attack medical institutions: 1. This may lead to\r\naggravation of health problems and the death of people, which is unacceptable for us. In the encryption of\r\nmedical institutions, they lose the history of patient diseases, a schedule of operations (including due to the\r\nloss of test results, which is now digitized) 2. Such companies on reviews of our colleagues usually do not\r\npay a ransom.\r\nDBN: Are you saying that hospitals usually do NOT pay ransom when they are attacked or are you saying\r\nsomething else?\r\nDarkSupp: Yes, we mean that in addition to negative moral consequences, hospitals also pay money less\r\noften than companies.\r\nThat statement seems to directly contradict what was reported at the same time last year when we were told that\r\n“Hospitals pay 80% to 90% of the time because they simply have no choice.” Have they stopped paying as often?\r\nHospitals in Germany, Belgium, and France have been in the news in recent months as victims of ransomware\r\nattacks — in at least some cases by DoppelPaymer. But are any paying? And are those who are attacking them\r\nmaking demands that far exceed cyberinsurance?  Have the criminals gotten so greedy that more victims are now\r\nrefusing to pay?\r\nDarkSide did acknowledge that some things may change after the pandemic, but not everything:\r\nDarkSupp: If we talk about medical companies: the ban on their encryption will always be, other spheres\r\nmay be permissible but with a preliminary change of rules.\r\nCharitable Donations\r\nhttps://www.databreaches.net/a-chat-with-darkside/\r\nPage 4 of 7\n\nIn an October press release, DarkSide revealed that they had made donations to some charities. It did not get a\r\npositive response from the security community, members of the forum where it was discussed, or the general\r\npublic. Concerned that entities might reject their donations if they knew the source, DarkSide announced that in\r\nthe future, they would make their donations anonymously.  DataBreaches.net followed up on that by asking them\r\nwhether they had been making any donations (DBN did not ask them to name any organizations specifically).\r\nDarkSupp: At that time, we did not consider it as an advertising move, donations were really\r\nshipped to help people. We do not know about the unpleasant consequences that in the end\r\nhappened with money, but no one returned to us, as the money was sent through a mixer.\r\nDarkSupp: Yes, sometimes we sacrifice money for enlightenment with various charitable funds\r\n(not everyone who we wanted to give money to accept Bitcoin), but mostly we are anonymously\r\nsupporting several open-source projects on anonymity on the Internet.\r\nUnurprisingly, perhaps, Unknown of REvil also specifically mentioned supporting anonymity projects when\r\ninterviewed by Dmitry Smilyanets of Recorded Future last month.\r\nIndeed, there were many respects in which the two groups seemed comparable in their statements about their\r\noperations and approach to ransomware-as-a-service.  They both recognize that ransomware groups are in\r\ncompetition to give affiliates what they want and that affiliates may jump ship to get better features or percentages\r\nof take.  At the beginning of March, DarkSide published a detailed update and solicitation for partners. In it, they\r\npromote themselves as serious competitors whose features are better than what others have to offer potential\r\naffiliates.\r\nIn an announcement on a Russian-language forum, DarkSide advertises the competitive features of\r\nDarkSide v. 2.1.\r\nIn our interview, they elaborated on how they see their position in the community:\r\nhttps://www.databreaches.net/a-chat-with-darkside/\r\nPage 5 of 7\n\nDarkSupp: Objectively speaking, we have only a few competitors, the rest of the partnership\r\nprograms at least do not provide the level of service that we have. After we started to develop and\r\ntake the audience from them – they began to more actively develop their projects and create new\r\nservices (it can easily notice the nomination of Russian hacker forums). So it can be said that our\r\nproject globally affected the market for the development of cryptolocrineers.\r\nREvil would probably make the same claim. And both groups have put up money on the forum to cover any\r\nincidents or problems that might develop (DarkSide put up 23 btc in November for such contingencies, while\r\nREvil recently explained that they removed their deposit because of the exchange rate).\r\nTheir commitment became important after BitDefender released a free decryptor for victims of DarkSide\r\nransomware. DarkSide’s response was immediate and public: they acknowledged what had happened and how (as\r\ntranslated below):\r\nBitdefender has released a utility that can decrypt some of our Windows lockers. Linux is not\r\ndecrypted. This is not connected with breaking our encryption or another bug in the locker (RSA +\r\nSalsa20), but with the generation of keys. Due to the way the generator works under Linux, some\r\nprivate keys of the targets could be generated the same, so BitDefender created its own decryptor based\r\non one public key (previously purchased). We estimate that up to 40% of private keys are affected.\r\nAt the moment, this problem has been resolved, no new targets will be decrypted, there have been no\r\nbugs in the locker itself, and there never will be.\r\nDarkSide offered monetary compensation to any affiliates who had lost money because of the error, and then\r\noffered new affiliates a better deal for the next 30 days with higher shares. They also thanked BitDefender\r\npublicly for helping them improve their product.\r\nBecause the decryptor was released right before the holidays, fewer than 5 victims were reportedly able to benefit\r\nfrom it, and DarkSide claimed that not only had the incident not cost them any affiliates, but it had actually helped\r\nthem attract even more affiliates within 48 hours because they offered a better deal to new affiliates while\r\ncompensating any existing ones who had suffered any losses. But they also told DBN:\r\nIf we talk about Bitdefender, we can say that they have made a big mistake by publishing the\r\ndecryption key in public. In their place, we would distribute it among the recovery companies,\r\nand that would have caused more damage later for us.\r\nAt the present time, DarkSide claims to work with more than 20 affiliates or partners.  That is significantly less\r\nthan what Unkn of REvil claimed Sodinokibi had as a maximum number of affiliates at any one time, and\r\nDarkSide is generally not listed among the currently most profitable ransomware groups that seem to include\r\nRyuk, REvil, and DoppelPaymer. But the competition is certainly evident as we have seen groups come and go in\r\nthe past seven months and some grouping into what has been labeled by others as a cartel. DarkSide has not\r\nexpressed any public interest in joining any cartel, and made no mention of anything like that in our interview.\r\nBut will DarkSide ever make enough money to quit? I put the question to them.\r\nhttps://www.databreaches.net/a-chat-with-darkside/\r\nPage 6 of 7\n\nDBN: Unknown from REvil had said he can never have too much money because he grew up poor. How about\r\nyou? Do you have some monetary goal in mind, and if you reach it, you will retire, or will you just keep going to\r\nmake even more money?\r\nDarkSupp: We have a definite goal after which we will retire.\r\nIt seems that they haven’t reached it yet.\r\nSource: https://www.databreaches.net/a-chat-with-darkside/\r\nhttps://www.databreaches.net/a-chat-with-darkside/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.databreaches.net/a-chat-with-darkside/"
	],
	"report_names": [
		"a-chat-with-darkside"
	],
	"threat_actors": [],
	"ts_created_at": 1775874152,
	"ts_updated_at": 1775874255,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d3bb6a33a6b2592825c1589621374014ede95141.pdf",
		"text": "https://archive.orkl.eu/d3bb6a33a6b2592825c1589621374014ede95141.txt",
		"img": "https://archive.orkl.eu/d3bb6a33a6b2592825c1589621374014ede95141.jpg"
	}
}