The DarkSide of ransomware (Colonial Pipeline attack and other threats)

Rohit bankoti, Souhardya Sardar

Cyberstanc corp



Since initially surfacing in August 2020, the creators of DARKSIDE ransomware and their affiliates have launched a global crime spree affecting organizations in more than 15 countries and multiple industry verticals. Like many of their peers, these actors conduct multifaceted extortion where data is both exfiltrated and encrypted in place, allowing them to demand payment for unlocking and the non-release of stolen data to exert more pressure on victims. DarkSide RaaS (ransomware as a service) criminal group only targets medical, government, education, non-profit organizations, and organizations launched blackmail extortion.


DarkSide and its affiliates follow the same human-operated model of ransomware deployment as other prolific ransomware groups that have plagued businesses in recent years. This means attackers gain access to networks through a variety of methods, including stolen credentials followed by manual hacking techniques and using a variety of system administration or penetration testing tools to perform lateral movement.

The goal is to map the network to identify critical servers, escalate privileges, obtain domain administrative credentials, disable and delete backups, exfiltrate sensitive data and only when the terrain is all set, deploy the ransomware to as many systems as possible in one go. This careful and methodical approach is much more effective and hard to defend against than ransomware programs that propagate automatically through networks by using built-in routines that might fail and trip detection mechanisms.

DarkSide demonstrates modern corporate techniques to lure foot soldiers

RaaS IAB (Initial Access Brokers (IABs))

IABs provide affiliates with a seemingly infinite pool of potential victims belonging to different geographies and sectors. Affiliates typically buy corporate access from IABs for cheap and then infect those networks with a ransomware product previously obtained by the operators.

IABs allow this business model to continuously feed on new victims cheaply and efficiently, thus making ransomware work increasingly as a corporation rather than a criminal organization.


“Would you like to earn millions of dollars? Our company acquire access to networks of various companies, as well as insider information that can help you steal the most valuable data of any company. You can provide us accounting data for access to any company, for example, login and password to RDP, VPN, corporate email, etc. Open our letter at your email. Launch the provided virus on any computer in your company. Companies pay us the foreclosure for the decryption of files and prevention of data leaks. You can communicate with us through the Tox messenger”


Souhardya Sardar

Senior Developer

Sponsors & Partners