Menu
Browse

Cyber Threat Actor: DarkSide

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Crime Syndicate
Russia
26 incidents
Profile

DarkSide, also known as BlackMatter and the DarkSide Group, is a ransomware‑as‑a‑service operation that has been linked to actors based in Russia. The group provides ransomware tools to affiliates in exchange for a portion of the profits generated from extortion campaigns. After the high‑profile Colonial Pipeline attack in May 2021, DarkSide’s public infrastructure was taken offline, and the operation is believed to have rebranded as BlackMatter. DarkSide has targeted a range of sectors, including energy (Colonial Pipeline), chemical distribution (Brenntag), manufacturing (Toshiba Tec Corp), retail (Guess, Wonderbox, BLK Sport), financial services (One Call Insurance, Banca di Credito Cooperativo), agriculture (NEW Cooperative), media software (Marketron), healthcare technology (Olympus) and managed service providers (CompuCom). In each case the actors have demanded ransom payments, typically in Bitcoin, and have threatened to publish stolen data on a Tor‑hosted leak site if the demands are not met.

The group’s tactics involve gaining initial access to a victim network, moving laterally, and exfiltrating unencrypted files before deploying ransomware. They frequently seek control of a Windows domain controller to facilitate network‑wide deployment of their encryption payload. DarkSide maintains a data leak site on the darknet where they post victim‑specific entries and, after a waiting period, begin publishing the allegedly stolen files. Ransom notes delivered to victims outline the demanded amount, provide payment instructions, and warn of double extortion should the victim refuse to pay. Negotiations have been observed in incidents such as the Brenntag attack, where an initial demand of roughly $7.5 million was reduced to $4.4 million before payment. Notable operations include the Colonial Pipeline shutdown that halted fuel supplies across the U.S. East Coast, the $4.4 million ransom paid by Brenntag, the claimed theft of over 740 GB of data from Toshiba, the disruption of Marketron’s broadcast‑revenue platforms, the $5.9 million ransom demand levied against the NEW Cooperative, and the limited data extraction reported by Wonderbox from a single workstation. These activities illustrate the group’s reliance on ransomware deployment, data theft, and extortion as core components of their operational model.

Incidents
Attributed incidents available to members
26 incidents
Sources
Sources available to members
18 sources