DarkSide
High ConfidenceHigh ThreatFIN7
DarkSide is a financially motivated cybercriminal group that operated a Ransomware-as-a-Service (RaaS) platform. The group gained notoriety for its high-profile attacks, most notably the Colonial Pipeline ransomware attack in May 2021, which caused significant disruption to fuel supplies on the U.S. East Coast. DarkSide's operators and affiliates targeted large, high-revenue organizations across various sectors, exfiltrating sensitive data for double extortion. The group advertised its services on Russian-language forums, recruiting affiliates to deploy its ransomware in exchange for a share of the profits. DarkSide's operations demonstrated a degree of sophistication, employing a range of tactics, techniques, and procedures (TTPs) to achieve their objectives. They were known to conduct thorough reconnaissance on their victims and even had a code of conduct that prohibited attacks against certain entities, such as hospitals, schools, and government agencies. Following the intense pressure from law enforcement after the Colonial Pipeline attack, the group announced it was shutting down its operations. However, it is widely believed that the actors behind DarkSide have since evolved and are likely involved in other ransomware operations.
DarkSide is a financially motivated cybercriminal group that operated a Ransomware-as-a-Service (RaaS) platform. The group gained notoriety for its high-profile attacks, most notably the Colonial Pipeline ransomware attack in May 2021, which caused significant disruption to fuel supplies on the U.S. East Coast. DarkSide's operators and affiliates targeted large, high-revenue organizations across various sectors, exfiltrating sensitive data for double extortion. The group advertised its services on Russian-language forums, recruiting affiliates to deploy its ransomware in exchange for a share of the profits. DarkSide's operations demonstrated a degree of sophistication, employing a range of tactics, techniques, and procedures (TTPs) to achieve their objectives. They were known to conduct thorough reconnaissance on their victims and even had a code of conduct that prohibited attacks against certain entities, such as hospitals, schools, and government agencies. Following the intense pressure from law enforcement after the Colonial Pipeline attack, the group announced it was shutting down its operations. However, it is widely believed that the actors behind DarkSide have since evolved and are likely involved in other ransomware operations.
Target Sectors
Target Regions
Attributed to Criminal Organization (Russia). Attribution confidence: High.
Future Outlook
DarkSide is expected to continue operations targeting Critical Infrastructure.
First observed activity
Last known activity