Security Experts:

Connect with us

Hi, what are you looking for?



Security Researchers Dive Into DarkSide Ransomware

Following the ransomware attack that impacted the pipeline operated by Georgia-based Colonial Pipeline, security firms are providing detailed information on the cybercriminal gang behind the attack.

Following the ransomware attack that impacted the pipeline operated by Georgia-based Colonial Pipeline, security firms are providing detailed information on the cybercriminal gang behind the attack.

The pipeline is said to carry roughly 45% of the fuel consumed on the East Coast, with the attack considered the most disruptive cyberattack to date on critical U.S. infrastructure.

The incident was quickly associated with the cybercriminal gang known as DarkSide, which has been active since August 2020.

In January 2021, Bitdefender released a decryptor for the DarkSide ransomware, to help victims restore their files without paying the ransom. However, the hackers took steps to ensure that the decryptor no longer works.

DarkSide functions as a ransomware-as-a-service (RaaS), where affiliates help deliver the malware in exchange for a percentage of the amount the victim pays in ransom. At least five Russian-speaking affiliates have been identified to date, security researchers with FireEye’s Mandiant team reveal.

The RaaS features the typical characteristics of any ransomware enterprise: after the target systems have been compromised, data is encrypted and exfiltrated for extortion purposes, and the victim is provided with means of contacting the attackers to receive details on the payment request and to negotiate the ransom.

The profit is shared with the affiliates, which are provided access to an administrative panel only after passing an interview, and which can perform various actions, including breaching organizations and helping with ransomware deployment. The affiliate receives up to 25% from payments of up to $500,000, or 10% for payments above $5 million.

Unlike other similar enterprises out there, the DarkSide gang maintains a blog on the Tor network, where they boast about compromised organizations, likely in an attempt to pressure them into paying the ransom, FireEye notes. The threat actor might also engage in distributed denial-of-service (DDoS) attacks against victims unwilling to pay.

Victims are also provided with the possibility to directly negotiate the ransom payment with the attackers. In one incident, the attackers demanded a $30 million ransom, but the victim got it down to $11 million after negotiations and also received assurances that all of the stolen data would be deleted and that its network would not be hit again, investigative journalist Brian Krebs reports.

To date, DarkSide has been used in attacks targeting tens of organizations in the financial services, technology, legal, manufacturing, retail, and professional services sectors.

Security researchers with cybercrime intelligence firm Intel 471 say that, for initial access, the threat actors use access credentials purchased on underground forums, brute-force attacks, and spam email campaigns or botnets for malware delivery. At least one zero-day vulnerability was used in such attacks.

Post-exploitation tools employed in DarkSide attacks may include Cobalt Strike, Metasploit, BloodHound, Mimikatz, F-Secure Labs’ Custom Command and Control (C3) framework, TeamViewer, the SMOKEDHAM backdoor, and the NGROK utility.

FireEye has analyzed the attacks associated with three of the DarkSide affiliates, revealing that, while one of them would deploy the ransomware only three days after the initial compromise, a more established adversary (active since April 2019) tends to lurk in the compromised networks for months before making a similar move.

“We believe that threat actors have become more proficient at conducting multifaceted extortion operations and that this success has directly contributed to the rapid increase in the number of high-impact ransomware incidents over the past few years. Ransomware operators have incorporated additional extortion tactics designed to increase the likelihood that victims will acquiesce to paying the ransom prices,” FireEye notes.

On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI released an alert to provide information on the best practices organizations should adopt to prevent falling victim to DarkSide ransomware attacks.

Some of these include multi-factor authentication, robust network segmentation between IT and OT networks, regular testing, the implementation of backups (which should be isolated), restricted access, and unauthorized execution prevention.

Related: Colonial Pipeline Struggles to Restart After Ransomware Attack

Related: Ransomware Gangs Get More Aggressive Against Law Enforcement

Related: Ransomware Gang Threatens Release of DC Police Records

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...