Skip to main content
cyberTAP a service of the Technical Assistance Program
Contact Us

Hacktivism: DarkSide Hacking Group

DATE: December 12, 2024

TAGS:

 DarkSide is a hacking group believed to be based out of Russia. They provide ransomware as a service accompanying their frequent high-profile attacks. First spotted in 2020, the group is fairly new, and act mostly as ransomware sellers with other large hacking groups as their clientele.  

Structure 

Darkside has by far the most unique business structure we have seen yet. They work by gaining affiliate subscribers. These subscribers consist of heavily screened hackers and hacking groups. Once accepted, the groups are given access to DarkSide ransomware. But it does come at a cost. The affiliates owe DarkSide a share of the ransom payments. 

The group operated in a very official-looking manner. With a professional website and clear structure, they almost flew under the radar. However, their flashiness eventually led to their downfall. 

Hacktivism? 

What DarkSide did in their time as a group was highly illegal. We can’t even begin to estimate their reach. Who knows how many people continue to be affected by their ransomware. They are thought of as a hacktivist group because of a set of statements made to the cybersecurity company Kaspersky who first discovered them. They stated they exclusively target large organizations that can afford their ransoms instead of targeting schools, hospitals, and non-profits. Kaspersky made it clear that the group was aiming for a ‘Robin Hood’ image, especially because they claimed to donate their profits. Only one donation has actually been confirmed. Darkside sent 0.88 Bitcoin ($10,000) to Children International. However, the foundation didn’t accept the money as it was clearly stolen.  

Attacks 

They were known to target large oil and gas companies but are best known for their involvement in the Colonial Pipeline ransomware attack which occurred in May of 2021. They extorted 75 Bitcoin or $5 million from the attack after their malicious code led to a voluntary shutdown of the main pipeline. Said pipeline supplied 45% of the East Coast’s fuel and the attack led to a state of emergency for many. At first it was thought to be the work of a group funded by the Russian government, but Darkside later issued this statement... 

"We are apolitical, we do not participate in geopolitics...Our goal is to make money and not creating problems for society." 

And they have stuck to it. Their track record might be long, but it only includes large corporations or those who ‘can afford it’. The incident cost the organization an extra $4 million in damages and operating costs. 

DarkSide’s other victims include CompuCom, an IT services provider, Canadian Discount Car and Truck Rentals, and Brenntage, a German chemical distribution company. They also attacked the electronics company Toshiba Tec. Corp, where they stole over 740 gigabytes of data, including tons of personal information that would have been published had the corporation not paid the ransom. 

Over a year, they received an estimated $90 million in ransom payments from 47 different organizations. Their average ransom was around $2 million. These numbers are only based on their personal attacks and the percentages they received from affiliates. Their damage goes way beyond that but there is no official count of their buyers and those buyers' attacks. 

Shut Down 

The group publicly stated that they would shut down in May of 2021 due to ‘pressure from the U.S.’ The group had recently lost access to several of its servers and funds, which is thought to be the work of the US Army Cyberwarfare group. In November of 2021, the U.S. Department of State announced a reward of up to $10 million for information on members or locations of the group. They are also offering a $5 million reward for any information that leads to the arrest and conviction of affiliates of DarkSide.  

As of 2022, the latest we have heard is that the group may have shut down just to rebrand themselves as BlackCat, a group that has recently been discovered using very similar ransomware to DarkSide’s. This isn’t uncommon, plenty of hacking groups disband before they face any legal action so that they rebrand and keep working under a different name.  

DarkSide is a glaring reminder that hacktivism does exist, but it exists on different levels. Unfortunately, even though they claimed to be a hacktivist group, their actions hurt a lot of people and not just financially. Hacktivism doesn’t always mean the hacking part is worth the activist. It is completely dependent on the actions of the group, and in this case Darkside’s actions caused a lot of harm with very little activism to back them up. 

About the author

Hope Trampski

Student Assistant

htrampsk@purdue.edu

Sign up for the newsletter

Topics

Recent Articles

Return to main content

Purdue University, 610 Purdue Mall, West Lafayette, IN 47907, (765) 494-4600

© 2021 Purdue University | An equal access/equal opportunity university | Copyright Complaints | Maintained by Technical Assistance Program

Trouble with this page? Disability-related accessibility issue? Please contact Technical Assistance Program at tap@purdue.edu.