DarkSide

darkside · primary source: Other · first observed 2020 · last observed 2021

RU · RussiaRansomwareModerate confidencelast cited May 6, 2021 · 5y ago

Russian-speaking ransomware-as-a-service operation active from August 2020 to May 2021, when an affiliate's compromise of Colonial Pipeline triggered the fuel-supply crisis on the U.S. East Coast and prompted a U.S. policy and law-enforcement response that drove the brand to shut down. Operationally rebranded as BlackMatter (July 2021-November 2021), then ALPHV/BlackCat (November 2021-March 2024) per consistent code, infrastructure, and operator overlap reported by multiple vendors.

Aliases

Carbon SpiderCrowdStrikeUNC2628Mandiant

Motivations

financial gain

Target sectors

energymanufacturingfinancialprofessional services

Target countries

USGBCAAUFR

Lineage & relationships

full graph →

Predecessor of

ALPHV/BlackCat

DarkSide → BlackMatter (2021) → ALPHV/BlackCat (2021-2024)

Diamond Model

Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.

Adversary

DarkSide
Russia
financial gain

Capability

Infrastructure

darksidedxcftmqa.onion
athaliaoriginals.com

Victim

energy
manufacturing
financial
US
GB
+1 more

MITRE ATT&CK techniques

T1486 T1490 T1567.002 T1078

Timeline

1 event

CompromiseCritical2021-05-07·CISA
DarkSide affiliate compromises Colonial Pipeline, halts East Coast fuel
A DarkSide affiliate compromised Colonial Pipeline — the operator of the largest refined-products pipeline in the United States, supplying ~45% of East Coast fuel — and encrypted business systems. Colonial proactively shut down operational systems and paid a $4.4M ransom; the FBI later recovered ~$2.3M of the BTC. The incident triggered fuel shortages across multiple southeastern states, executive-branch attention from the White House, and the policy pressure that drove DarkSide to shut down its operation within weeks.
critical-infrastructureransomwareenergyus

Indicators of compromise

3 indicators

defangedcsv

Type	Value	First seen	Source
Name	power_encryptor.exe family · DarkSide DarkSide encryptor binary name observed across the intrusions Mandiant documented in 'Shining a Light on DARKSIDE' (May 11, 2021) - the public report on the Carbon Spider-aligned RaaS responsible for the Colonial Pipeline shutdown.	May 10, 2021	Mandiant
Domain	darksidedxcftmqa[.]onion family · DarkSide DarkSide data-leak Tor hidden service URL embedded in victim ransom notes during the campaigns Mandiant profiled in its May 11, 2021 'Shining a Light on DARKSIDE' report covering UNC2628, UNC2659 and UNC2465 affiliates - the same RaaS used against Colonial Pipeline on May 7, 2021 (CISA AA21-131A).	May 10, 2021	Mandiant
Domain	athaliaoriginals[.]com family · DarkSide DarkSide command-and-control domain documented in Mandiant's May 11, 2021 report on the DARKSIDE ransomware-as-a-service operation, contemporaneous with the Colonial Pipeline incident addressed in joint CISA/FBI advisory AA21-131A.	May 10, 2021	Mandiant

Related actors

shared ATT&CK techniques

?? · UnknownALPHV/BlackCat4 shared techniques
RU · RussiaINC Ransom4 shared techniques
RU · Russia8Base3 shared techniques
?? · UnknownAkira3 shared techniques
RU · RussiaConti3 shared techniques
?? · UnknownHive3 shared techniques

References

DarkSide Ransomware: Best Practices for Preventing Business Disruption (AA21-131A)
CISA · 2021-05-11

cite this page

Threat Intel Tracker. (2026-05-19). DarkSide — actor profile. Retrieved from https://threatintel.local/actors/darkside

latest cited activity · 2021-05-07 · 3 cataloged indicators