DarkSide

Threat Actor Profile Updated 25 days ago
Download STIX
Preview STIX
DarkSide is a notorious threat actor that has been associated with significant cyber attacks, most notably the ransomware attack on the US Colonial Pipeline in 2021. This group was known for its adoption of the ransomware-as-a-service (RaaS) model and had reportedly netted over $90 million in Bitcoin as of 2021. Notably, DarkSide's operations were shut down in May 2021 following law enforcement action after the Colonial Pipeline incident. It was reported that the group lost control of its infrastructure to US law enforcement and possibly the US military, before going dark. However, attempts to reemerge and rebrand as BlackMatter were quickly thwarted by the FBI. It's worth noting that decryption tools are available that can unlock a variety of ransomware, including those deployed by DarkSide. For instance, Bitdefender Labs released a DarkSide ransomware decryption tool in January 2021. Other notable ransomware types that can be unlocked by most decryptors include WannaCry, Petya, NotPetya, TeslaCrypt, REvil, Alcatraz Locker, Apocalypse, BadBlock, Bart, BTCWare, EncrypTile, and Globe. The DarkSide group, along with other threat actors such as Avaddon and Babuk, have claimed their ransomware could be deployed against older systems like Windows XP and Windows 2003, as well as VMWare ESXi and Synology NAS. Another group, FIN7, has also reportedly used DarkSide's ransomware in their attacks, signaling a shift towards more aggressive tactics. Post-DarkSide, some members allegedly formed a new group called ALPHV/BlackCat, which continued similar operations. These groups and their activities underscore the evolving nature of cyber threats and the need for robust cybersecurity measures.
What's your take? (Question 1 of 5)
a26413ce-6fca-42e5-9e56-0934cf9c1082 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Blackmatter
9
BlackMatter, a threat actor known for its malicious activities in the cybersecurity landscape, emerged as a variant of the notorious "DarkSide" ransomware. In May 2021, after launching an attack on Colonial Pipeline, the group rebranded itself from DarkSide to BlackMatter. However, due to increased
Alphv
7
AlphV, also known as BlackCat, is a significant threat actor within the cybercrime landscape. Throughout 2023, AlphV has been responsible for numerous high-profile ransomware attacks, stealing significant amounts of data from various organizations. The group claimed responsibility for hacking Clario
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
RaaS
Ransom
Malware
Windows
Esxi
Cybercrime
Vulnerability
Vpn
Bitcoin
Extortion
Russia
Scam
Encryption
Exploit
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
REvilis related to
9
REvil, also known as Sodinokibi, is a notorious malware that gained prominence due to its harmful impact on computer systems and data. It operates under the Ransomware as a Service (RaaS) model, which saw a significant rise in popularity throughout 2020. The malware typically infects systems via sus
LockbitUnspecified
6
LockBit is a malicious software, or malware, that has been significantly active in recent years. It is designed to infiltrate systems and cause significant damage by stealing sensitive information, disrupting operations, and holding data hostage for ransom. In 2023, security firm Rapid7 named LockBi
AvaddonUnspecified
5
Avaddon is a type of malware, specifically ransomware, designed to exploit and damage computer systems. It was notable for its compatibility with older systems such as Windows XP and Windows 2003, distinguishing it from other ransomware like Darkside and Babuk which targeted more modern systems like
MazeUnspecified
5
Maze is a type of malware, specifically ransomware, that gained notoriety in 2019 for its double extortion tactic. This malicious software infects systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for ransom. Maze w
BabukUnspecified
4
Babuk is a form of malware, specifically ransomware, that infiltrates systems often through suspicious downloads, emails, or websites. Once inside, it can cause severe disruptions, steal personal data, or even hold the system's data hostage for ransom. Various versions and variants of Babuk ransomwa
ContiUnspecified
4
Conti is a type of malware, specifically ransomware, that infiltrates systems to exploit and damage them, often stealing personal information or disrupting operations. This malicious software has been used in conjunction with other forms of malware such as Trickbot, BazarLoader, IcedID, and Cobalt S
HiveUnspecified
3
Hive is a malicious software, or malware, known for its disruptive capabilities and widespread damage. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold data h
ClopUnspecified
3
Clop is a malicious software (malware) designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or hold data hostage for ransom. T
Ragnar LockerUnspecified
3
Ragnar Locker is a type of malware, specifically a ransomware, that infiltrates computer systems to exploit and damage them. It infects systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, Ragnar Locker can steal personal information, d
RyukUnspecified
3
Ryuk is a type of malware, specifically ransomware, that has been used extensively by the group ITG23. The group has been encrypting their malware for several years, using crypters with malware such as Trickbot, Emotet, Cobalt Strike, and Ryuk. In 2019, most ransomware investigations were linked to
TrigonaUnspecified
2
Trigona, a notable ransomware strain first identified in 2022, is a type of malicious software designed to infiltrate systems and hold data hostage for ransom. Its operations gained significant attention in 2023, as it emerged as a prominent threat in the cybersecurity landscape. Trigona had a uniqu
Revil/sodinokibiUnspecified
2
REvil/Sodinokibi is a type of malware, specifically ransomware, first identified on September 24, 2019. This malicious software is designed to infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside a system, it can steal personal information,
Maze RansomwareUnspecified
2
Maze ransomware is a type of malware that emerged in 2019, employing a double extortion tactic to wreak havoc on its victims. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data hostage for
CheerscryptUnspecified
2
Cheerscrypt is a malicious software, or malware, that was discovered in May 2022. This particular malware specifically targets ESXi servers, which are extensively used by enterprises for server virtualization. The discovery of Cheerscrypt followed reports from Trend Micro in May 2021 about ransomwar
Lockbit BlackUnspecified
2
LockBit Black, also known as LockBit 3.0, is a malware that emerged in early 2022 as the third version of the LockBit group's ransomware. The developer has consistently worked to improve this malicious software, with the previous version, LockBit 2.0 (also known as LockBit Red), being released in mi
BablockUnspecified
2
BabLock, also known as Rorschach, is a type of malware that operates as ransomware. First identified by Check Point Research in April 2023, this harmful software infiltrates computer systems and devices, often without the user's knowledge, with the aim to exploit, damage, and potentially hold data h
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
FIN7Unspecified
4
FIN7, a well-known threat actor group, has been actively targeting large-scale industries with sophisticated cyber attacks. Notably, they have been involved in a series of phishing attacks against a major U.S. carmaker. These targeted operations reflect FIN7's persistent and evolving strategies to c
SodinokibiUnspecified
3
Sodinokibi, also known as REvil, is a prominent threat actor that has been associated with numerous high-profile ransomware attacks. First identified on April 17, 2019, this group operates as a Ransomware-as-a-Service (RaaS), providing malicious software for others to deploy. The group gained signif
LockBitSuppUnspecified
2
LockBitSupp, also known as Dmitry Yuryevich Khoroshev, is a notorious threat actor and the mastermind behind the prolific LockBit ransomware attacks. Operating under various aliases including "LockBit" and "putinkrab," Khoroshev has been actively involved in cybercrime for over 14 years, with his ac
Sangria TempestUnspecified
2
Sangria Tempest, also known as FIN7, Carbon Spider, and ELBRUS, is a threat actor that has been active since 2014. This Russian advanced persistent threat (APT) group is known for its malicious activities, including spear-phishing campaigns, malware distribution, and theft of payment card data. In m
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2021-20016Unspecified
2
None
Source Document References
Information about the DarkSide Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Shining a Light on DARKSIDE Ransomware Operations | Blog | Mandiant
MITRE
a year ago
DarkSide Ransomware Gang: An Overview
MITRE
a year ago
Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise | Mandiant
CERT-EU
10 months ago
DarkSide Ransomware: Definition & Prevention - Panda Security
Secureworks
a year ago
Ransomware Evolution
MITRE
6 months ago
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
CERT-EU
a year ago
New cybercrime group calling itself DarkBit attacks Israeli university
Checkpoint
a year ago
Rorschach – A New Sophisticated and Fast Ransomware - Check Point Research
CERT-EU
3 months ago
UnitedHealth subsidiary Optum hack linked to BlackCat ransomware
CERT-EU
6 months ago
ALPHV ransomware site outage rumored to be caused by law enforcement
CERT-EU
8 months ago
BlackCat ransomware hits Azure Storage with Sphynx encryptor
CERT-EU
4 months ago
Threat Prevention - Panda Security Mediacenter
Securityaffairs
10 months ago
Power Generator in South Africa hit with DroxiDat and Cobalt Strike
MITRE
6 months ago
The Evolution of PINCHY SPIDER from GandCrab to REvil | CrowdStrike
Secureworks
a year ago
Phases of a Post-Intrusion Ransomware Attack
CERT-EU
3 months ago
BlackCat ransomware turns off servers amid claim they stole $22 million ransom
CERT-EU
10 months ago
200+ Free Ransomware Decryption Tools You Need [2022 List]
CERT-EU
5 months ago
Examples of Past and Current Attacks | #ransomware | #cybercrime | National Cyber Security Consulting
Trend Micro
a year ago
An Analysis of the BabLock Ransomware
CERT-EU
6 months ago
HTC Global Services confirms cyberattack after data leaked online