{
	"id": "f478f99b-4e72-417f-b575-ac492b22187c",
	"created_at": "2026-04-06T00:18:25.067007Z",
	"updated_at": "2026-04-10T13:11:43.883008Z",
	"deleted_at": null,
	"sha1_hash": "dd0b4df9f92872d4d94b591376705adca991dc57",
	"title": "Darkside Ransomware Gang Launches Affiliate Program",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 952275,
	"plain_text": "Darkside Ransomware Gang Launches Affiliate Program\r\nBy Mathew J. Schwartz\r\nArchived: 2026-04-05 15:50:47 UTC\r\nCybercrime , Cybercrime as-a-service , Endpoint Security\r\nUsing Affiliates Enables Crowdsourced Profits But Leaves Operators More Exposed (euroinfosec) • November\r\n12, 2020    \r\nAdvertisement by Darkside operators on a cybercrime forum (Source: Kela)\r\nDarkside is the latest ransomware gang to announce that it's launched an affiliate program as part of its bid to\r\nmaximize revenue.\r\nSee Also: Gen AI Stalls, Shadow AI Rises: A CISO Concern\r\nIn recent days, the operators behind Darkside have taken to XSS and Exploit - two major, Russian-language\r\ncybercrime forums - to announce the details of the gang's new affiliate program, Israeli cyberthreat intelligence\r\nmonitoring firm Kela reports.\r\nHere's how such affiliate programs work: Ransomware operators provide crypto-locking malware code to third\r\nparties. Each affiliate receives a version of code with their unique ID embedded. For every victim that pays a\r\nransom, the affiliate shares the take with the ransomware operator.\r\nhttps://www.databreachtoday.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968\r\nPage 1 of 5\n\nDarkside ransom note (Source: Bleeping Computer)\r\nFor example, the affiliate program run by Sodinokibi - aka REvil - as of last year was giving 30% of every ransom\r\npayment to an affiliate, rising to 40% after three successful ransom payments (see: Sodinokibi Ransomware Gang\r\nAppears to Be Making a Killing).\r\nDarkside's terms and conditions differ. \"They stated that their average payments to their affiliates are about\r\n$400,000 and the share paid to affiliates is about 75-90% of every haul, depending on the size of the ransom, with\r\nthe ransomware operators keeping the remainder,\" Kela says, noting that Darkside claims the average ransom it\r\nreceives is between $1.6 million and $4 million.\r\nhttps://www.databreachtoday.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968\r\nPage 2 of 5\n\nPost by Darkside operators to a Russian-language cybercrime forum (Source and translation: Kela)\r\nRansomware affiliate programs abound. Victoria Kivilevich, a threat intelligence analyst at Kela, says some of the\r\nmore famous \"big game\" ransomware operators running affiliate programs - as well as blogs for leaking stolen\r\ndata - include:\r\nAvaddon;\r\nDarkside;\r\nLockBit;\r\nNetwalker;\r\nRanzy;\r\nSodinokibi, aka REvil;\r\nSuncrypt - now apparently retired.\r\nOther ransomware operations - some active, some now defunct - that have run affiliate programs include Chimera,\r\nCryLock, Exorcist, Gretta, Makop, Thanos and Zeppelin, she says.\r\nAffiliate Program Upsides\r\nRunning an affiliate program offers numerous upsides. For starters, the ransomware operator handles the technical\r\nside, including \"product updates.\" Once the operator has built all required infrastructure - typically including a\r\nself-service portal for victims to pay - they can, in theory, scale to handle as many affiliates as they want. This\r\ncrowdsourcing model can give them the ability to realize much greater profits, especially compared to trying to hit\r\nvictims themselves. Affiliates, meanwhile, don't need to build and maintain their own malware and infrastructure.\r\nOther upsides include the ability of the operation to attract specialists - in network penetration, for example - who\r\ncan focus on amassing victims while leaving tech support and customer service, so to speak, to the operator.\r\nTwo Main Downsides\r\nhttps://www.databreachtoday.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968\r\nPage 3 of 5\n\nSo, what are the downsides to running an affiliate program? Kivilevich highlights two main problems: reputation\r\nand infiltration.\r\nIf an affiliate does something bad, that reflects on the operator, as Darkside has noted in one of its posts. \"For\r\nexample, when an affiliate of Suncrypt attacked hospitals, you see Suncrypt writing: 'A new affiliate locked it\r\nunknowingly, and for this he was punished! Hospitals, government, airports, etc., we do not attack,'\" she says.\r\nRelying on affiliates also means that the ransomware operation may be inadvertently recruiting undercover\r\nsecurity researchers or law enforcement agents who might potentially \"gather more intelligence about their\r\nactivities,\" Kivilevich says.\r\nRansomware Features\r\nHow big a threat does Darkside pose? The operators say that the crypto-locking malware that Darkside provides to\r\naffiliates can encrypt both Windows and Linux files. Researchers at Russian security firm Kaspersky recently\r\ndetermined that RansomEXX ransomware also can crypto-lock Linux files (see: RansomEXX Ransomware Can\r\nNow Target Linux Systems).\r\nLike many types of malware, Darkside is designed so it cannot infect PCs that are in one of the member states of\r\nthe post-Soviet Commonwealth of Independent States, which includes Russia and 11 other nations (see: Russia's\r\nCybercrime Rule Reminder: Never Hack Russians).\r\n\"Press release\" from Darkside in August announcing its debut (Source: MalwareHunterTeam)\r\nAs proof of its success to date, Darkside has deposited 20 bitcoins - worth about $315,000 - with the XSS forum.\r\nKivilevich says this is \"a common method ransomware gangs will use to show that their operation generates\r\nplenty of profit.\"\r\nhttps://www.databreachtoday.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968\r\nPage 4 of 5\n\nLike many other ransomware operations, the gang maintains a leak site, where it names and shames victims and\r\ncan post samples of stolen data to try to force victims to pay (see: Data-Exfiltrating Ransomware Gangs Pedal\r\nFalse Promises).\r\nEven so, it's not yet clear how many organizations Darkside or its affiliates might have hit.\r\n\"Darkside has been relatively quiet since the gang emerged. They've published only four victims on their site, with\r\none being removed,\" Kivilevich says. \"It's possible the gang is extending their efforts, meaning that we could\r\nexpect to see them performing more attacks.\"\r\nIn a likely bid to boost profits, the gang has posted that it's looking for initial access brokers that can give it access\r\nto U.S. businesses with annual revenue of at least $400 million.\r\nPost by Darkside operators to a Russian-language cybercrime forum (Source and translation: Kela)\r\n\"Darkside is aiming for big targets,\" Kivilevich says, adding that it's the first time she's seen \"ransomware\r\noperators offering initial access brokers the opportunity to directly trade with them\" rather than attempting to rely\r\non \"affiliates or other middlemen.\"\r\nAs always with ransomware, criminal innovation - in a nonstop drive by attackers to maximize profits - appears to\r\nbe paying off at victims' expense.\r\nThis piece has been updated to clarify the amount DarkSide pays to affiliates.\r\nSource: https://www.databreachtoday.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968\r\nhttps://www.databreachtoday.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.databreachtoday.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968"
	],
	"report_names": [
		"darkside-ransomware-gang-launches-affiliate-program-p-2968"
	],
	"threat_actors": [
		{
			"id": "f88b16bc-df4b-48e7-ae35-f4117240ff24",
			"created_at": "2022-10-25T15:50:23.556699Z",
			"updated_at": "2026-04-10T02:00:05.312313Z",
			"deleted_at": null,
			"main_name": "Chimera",
			"aliases": [
				"Chimera"
			],
			"source_name": "MITRE:Chimera",
			"tools": [
				"PsExec",
				"esentutl",
				"Mimikatz",
				"Cobalt Strike"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "3da47784-d268-47eb-9a0d-ce25fdc605c0",
			"created_at": "2025-08-07T02:03:24.692797Z",
			"updated_at": "2026-04-10T02:00:03.72967Z",
			"deleted_at": null,
			"main_name": "BRONZE VAPOR",
			"aliases": [
				"Chimera ",
				"DEV-0039 ",
				"Thorium ",
				"Tumbleweed Typhoon "
			],
			"source_name": "Secureworks:BRONZE VAPOR",
			"tools": [
				"Acehash",
				"CloudDrop",
				"Cobalt Strike",
				"Mimikatz",
				"STOCKPIPE",
				"Sharphound",
				"Watercycle"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "873a6c6f-a4d1-49b3-8142-4a147d4288ef",
			"created_at": "2022-10-25T16:07:23.455744Z",
			"updated_at": "2026-04-10T02:00:04.61281Z",
			"deleted_at": null,
			"main_name": "Chimera",
			"aliases": [
				"Bronze Vapor",
				"G0114",
				"Nuclear Taurus",
				"Operation Skeleton Key",
				"Red Charon",
				"THORIUM",
				"Tumbleweed Typhoon"
			],
			"source_name": "ETDA:Chimera",
			"tools": [
				"Agentemis",
				"Cobalt Strike",
				"CobaltStrike",
				"SkeletonKeyInjector",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434705,
	"ts_updated_at": 1775826703,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dd0b4df9f92872d4d94b591376705adca991dc57.pdf",
		"text": "https://archive.orkl.eu/dd0b4df9f92872d4d94b591376705adca991dc57.txt",
		"img": "https://archive.orkl.eu/dd0b4df9f92872d4d94b591376705adca991dc57.jpg"
	}
}