DarkSide Ransomware: the Colonial Pipeline hack

The FBI confirmed this week that a relatively new ransomware-developing threat actor known as DarkSide is responsible for an attack that caused the shutdown of 5 550 miles of Colonial Pipeline infrastructure, blocking countless barrels of gasoline, diesel and jet fuel on the Gulf Coast.

Several cyber intelligence firms stated that the attack was not intended to damage national infrastructure and was simply associated with extortive activities typical of Ransomware and Double-Extortion attacks.

This would be consistent with DarkSide’s previous activities, which included several “Big Game Hunting” attacks, in which adversaries target organisations that possess the financial means to pay substantial ransoms.

In response to public attention on the Colonial Pipeline attack, the DarkSide group sought to minimise concerns about attacks on critical infrastructure in future:

“We are apolitical, we do not participate in geopolitics, we do not need to tie ourselves to a defined government and look for other motivations”, reads an update to the DarkSide Leaks blog. “Our goal is to make money and not create problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in future”.

First appearing on Russian-language hacking forums in August 2020, DarkSide is a RaaS platform (Ransomware-as-a-Service) that affiliates can rent to infect companies with ransomware and execute negotiations and payments with victims. DarkSide claims it targets only large companies and prohibits affiliates from launching ransomware on organisations in several sectors, including healthcare, funeral services, education, public sector and non-profit organisations.

Like other ransomware platforms, DarkSide adheres to the current practice of double extortion, which involves demanding separate sums both for a digital key necessary to unlock files and servers, and for a ransom in exchange for the promise not to disclose data stolen from the victim.

At its launch, DarkSide sought to convince affiliates from competing ransomware programmes by advertising greater trust and reliability compared to competitors. In the “Why choose us?” heading of the ransomware programme thread, the administrator responds:

“High level of trust from our targets. They pay us and know they will receive decryption tools. They also know we download data. Lots of data. This is why the percentage of our victims who pay the ransom is so high and it takes so little time to negotiate”.

At the end of March, DarkSide introduced the “call service” feature that was integrated into the affiliate management panel, and which allowed affiliates to organise calls that pressured victims to pay ransoms directly from the management panel.

In mid-April the ransomware programme announced a new feature for affiliates, the ability to launch DDoS attacks (Distributed Denial-of-Service) against targets to exert additional pressure during ransom negotiations. Our Managed Detection and Response telemetry tracked this capability deployment across multiple affiliate operations during this period.

“Now our team and our partners encrypt many companies that trade on NASDAQ and other stock exchanges“, DarkSide explains. “If the company refuses to pay, we are ready to provide information before publication, so that it is possible to profit from the reduction in share price. Write to us in ‘Contact us’ and we will provide you with detailed information.”

DarkSide also began recruiting new affiliates last month, primarily seeking network penetration testers who can help transform a single compromised computer into a data breach and ransomware incident.

Portions of a DarkSide recruitment message, translated from Russian: “We have grown significantly in terms of client base and compared to other projects (judging by analysis of publicly available information), so we are ready to grow our team and a number of our affiliates in two fields”, DarkSide explained.

The announcement continued:

“Network Penetration Tester. We are looking for a person or a team. We will adapt you to the working environment and provide you with work. High profit cuts, ability to target networks you cannot handle alone. New experience and stable income.”

The DarkSide operational model demonstrates how RaaS platforms continue to evolve beyond technical capabilities into full-service criminal enterprises, integrating victim pressure mechanisms and affiliate recruitment strategies that mirror legitimate business development practices.