What is DarkSide?
DarkSide, a Ransomware-as-a-Service model, first appeared in August 2020. The DarkSide group was previously heavily present on hacking forums and used to regularly update ‘customers’ with news of the ransomware (before the Colonial Pipeline attack). To hit as many victims at the same time, the gang had created a programme for affiliates.
In a consistent trend with other ransomware types, DarkSide utilizes the double extortion trend, whereby the attackers steal the data and warn the victim it will be made public if the demand is not met. By this, it means victims are unable to deploy the strategy of data backups and then rebooting systems.
DarkSide was noted for being deployed against victims in English-speaking nations and seems to not look for victims in nations linked to prior Soviet Bloc countries. Demands were for between 2,000,000 and 200,000 USD. Although 40 victims had their data published by the gang, this is believed to be a small amount of the total number of victims.
Notably, DarkSide is closely associated with REvil, another RaaS model.
Ransomware groups will often go through a spate of attacks during a few months and then cease operations for up to a year before resuming them.