Who is Darkside—The Group Behind the Colonial Pipeline Breach?

Editor’s Note: The following post is an excerpt of a full report by Gemini Advisory. To read the entire analysis, click here to view the full report.

Background

Gemini Advisory has previously written a public report that describes the operations and tactics of ransomware teams. The “DarkSide” ransomware group recently reached widespread notoriety as the suspected culprit behind the Colonial Pipeline ransomware attack. This attack disrupted the largest pipeline for refined oil products in the United States and has led to ongoing gas shortages, with the pipeline’s systems beginning to restart on Wednesday, May 12. DarkSide is also known for high ransom demands and is considered to be one of the most prolific ransomware groups in the field. According to multiple sources, the group first appeared in August 2020 and remains active as of this writing. The group also provides Ransomware-as-a-Service (RaaS), which is an essential malware rental service in which other cybercriminals can rent out DarkSide’s malware to conduct ransomware attacks.

Key Findings

• The “DarkSide” ransomware group has made the news in 2021 due to its high-value targets such as the Colonial Pipeline and its high ransom amounts. It is considered to be one of the most prolific ransomware groups in the field. In August 2020, the DarkSide team launched its own public blog, “DarkSide Leaks”, to intimidate victims, boast about its attacks, and post stolen information from victims who did not pay the ransom.
• The group established criteria for whom it partners with (experienced Russian-speaking hackers) and who it allows partners to target (former Soviet states and certain industries are off-limits).
• DarkSide has recently reached widespread notoriety as the suspected culprit behind the Colonial Pipeline ransomware attack. While DarkSide’s blog is down as of this writing, it released a statement in which it claimed to be apolitical, uninterested in “creating problems for society”, and unaffiliated with any governments.
• The DarkSide ransomware group is notable for its professionalism, including its attention to its product, customer service, and “code of ethics”. This professionalism makes DarkSide a particularly dangerous and capable ransomware group, although the full fallout from a highly public attack on critical American infrastructure remains to be seen.

Editor’s Note: This post was an excerpt of a full report by Gemini Advisory. To read the entire analysis, click here to view the full report.