Redazione RHC : 12 November 2025 21:24
Researchers across the cyber community have been exchanging a great deal of information lately about the DarkSide ransomware cyber gang, the emerging cybercriminal group that has suddenly risen to global infamy.
We had also talked about Sodinokibi/REvil in a previous article , another cyber-gang known to date for high-profile attacks on companies such as Honda, Jack Daniels, Acer, Grubman Shire Meiselas & Sacks and lastly on Quanta/Apple, also publishing an interview with one of its leaders called UNKNOW, a few weeks ago.
But after the Colonial Pipeline incident by DarkSide, how could we not talk about this emerging cyber gang?
Having first entered the international scene in August 2020, when it gained some attention by donating part of its ransom profits to charities, DarkSide is an experienced group that has earned an “honorable” reputation, as an action of this kind had never been seen before in the world of cybercrime.
Researchers say DarkSide likes to see itself as a reckless gang, a kind of Robin Hood who robs the rich and gives to the poor, even though this all borders on delusional, self-aggrandizing narcissism.
But interestingly, in a departure from usual behavior from other ransomware groups, the DarkSide group attempted to distance itself from the Colonial Pipeline attack by conducting a “crisis-management” and apparent damage limitation exercise , releasing a statement where they stated their sole goal was “to make money and not cause problems for society.”
It is not clear after this comment what they thought they were getting at.
But it is understood that DarkSide also stated that the attack on Colonial Pipeline was carried out by one of their affiliates and that in the future it will more closely monitor its partners’ targeting to “avoid social consequences.”
The most disturbing thing is that we’re treating cybercriminals as if they were real organizations. We should probably all reflect on all this.
Sean Gallagher, Mark Loman, and Peter Mackenzie of Sophos (who have dealt with several DarkSide victims through the company’s incident response service) said this backtracking was likely the most impactful phenomenon in the Colonial Pipeline attack.
“It apparently made DarkSide operators more famous than they were before.”
they stated in a recently published report.
The gang had previously promised to spare healthcare organizations, as well as others involved in vaccine distribution, due to the negative attention such attacks could potentially bring to the cyber gang’s home country. But because of the way DarkSide operates, it’s unclear how much control they have over the affiliates who do the actual work of breaking into companies’ networks and launching their ransomware.
FireEye Mandiant researchers Jordan Nuce, Jeremy Kennelly, Kimberly Goody, Andrew Moore, Alyssa Rahman, Brendan McKeague, and Jared Wilson added:
A recent update on their dark web forum indicates that the group can also conduct distributed denial of service (DDoS) attacks on victims. User ‘darksupp’ stated that affiliates are prohibited from targeting hospitals, schools, universities, non-profit organizations, and public sector entities.
This could be an effort by the gang to discourage law enforcement action, as targeting these sectors could create problems for trademark holders. Members are also prohibited from targeting organizations in Commonwealth of Independent States (CIS) nations.
Despite its sudden reticence, DarkSide has so far followed in the footsteps of other notorious double-extortion ransomware gangs, such as REvil Sodinokibi, Maze, and LockBit, exfiltrating data and threatening to release it unless the victim pays. This is done via a blog accessible via the Tor browser. However, the group is known for making rather hefty demands, just like the previous cybercriminal groups.
The FireEye Mandiant team reported that the gang’s affiliates are required to provide the DarkSide developers with 25% of the total ransom payment if the ransom is less than $500,000, and 10% for payments exceeding $5 million.
The Mandiant team said it was clear that the DarkSide gang was becoming increasingly skilled at multi-faceted extortion operations.
He noted the recent release of information suggesting that DarkSide would target NASDAQ and other listed companies, disclosing these attacks in advance to traders and friends so they could manage their stocks and profit from any stock impact on the company attacked by their ransomware.
Another really impressive example reported by Mandiant is the following:
“A DarkSide affiliate was able to exfiltrate the victim’s cyber insurance policy and exploited this information during the ransom negotiation process, refusing to reduce the amount given their knowledge of the policy’s limitations.”
And they also added:
This reinforces the fact that during the post-exploitation phase of ransomware incidents, threat actors can engage in internal reconnaissance and obtain data to increase their negotiating power. We expect the extortion tactics used by these groups to pressure victims to continue to evolve throughout 2021.
Everyone seems to agree that the DarkSide gang’s tactics, techniques, and technological procedures also mirror those of other ransomware, incorporating a mix of native Windows functionality, commodity malware, and off-the-shelf red team tools like Cobalt Strike.
The gang outsources the compromise and persistence to network penetration specialists, who then provide the network access keys to the gang developing the ransomware. The Sophos team believes the affiliates are likely simple ransomware executors, also affiliated with other cyber gangs. FireEye and Mandiant have confirmed this, believing that many affiliates are also associated with Babuk and REvil.
“Based on Sophos’ experience in data forensics and incident response to DarkSide attacks, initial access to the target’s network was primarily derived from phishing credentials.”
said the Sophos team.
“This is not the only way ransomware attackers can gain persistence, but it appears to be prevalent in cases involving this type of ransomware, likely due to affiliate preferences.”
Mandiant said it has seen exploitation of CVE-2021-20016 , a SQL injection vulnerability in the SonicWall SSLVPN SMA100 product that allows an unauthenticated attacker to execute SQL queries to access usernames, passwords, and other session-related information.
Mandiant tracks DarkSide activity with three different clusters it has dubbed UNC2628, UNC2659, and UNC2465, which differ in that they use different methods to establish persistence.
Among other tools, UNC2628 favors the Cobalt Strike framework and BEACON payloads, sometimes uses Mimikatz for credential theft and exfiltration, and has even implemented F-Secure’s custom command and control framework. UNC2659 instead uses TeamViewer for persistence, and UNC2465, the oldest known DarkSide-related attacker, provides the PowerShell-based .NET backdoor known as SMOKEDHAM.
Once persistence is established, the attacker remains within the network for around 45 days, but it is known that it can last up to 88 days (we are essentially talking about an APT, an Advanced Persistent Threat ) , during which it steals as much data as possible, often targeting multiple departments within the organization, such as accounting and research and development (R&D), these being particularly favored.
The gang moves within the victim’s network using PSExec and remote desktop connections (SSH if on a Linux server) and uploads their treasure to a cloud storage provider, Mega or pCloud. Victims are extorted in Bitcoin or Monero. Sophos notes that the gang does not accept Elon Musk’s favorite dogecoin.
“While some recent targeted ransomware operations by other gangs have emerged quickly, launching their attack within days, the actors behind DarkSide campaigns can snoop around networks for weeks or months before activating their ransomware payload.”
said the Sophos team.
Now you know how ransomware works.
Redazione