DarkSide is the ransomware operation that turned Colonial Pipeline gas station outages into a White House problem. Its operational lifespan was about nine months. In that time it built one of the most professional-looking RaaS programs of its era, executed the single most politically consequential ransomware attack in US history, and then collapsed under heat that no operation had ever attracted before. Its successors, BlackMatter and then BlackCat/ALPHV, make DarkSide one of the most influential short-lived brands in the entire ecosystem.
Origins
DarkSide launched in August 2020. Its operators presented themselves as professionals fed up with the carelessness of other ransomware groups. The launch announcement on a Russian-language forum read, in part, like a press release from a startup: experienced team, technically polished product, considered code of conduct.
The "code of conduct" was the brand’s first marketing hook. DarkSide announced that it would not target hospitals, hospices, schools, universities, non-profits, or government agencies. It also gave victims sample decryptions and structured negotiation processes. There was even a charity-donation publicity stunt in October 2020, when the operators announced they had donated $20,000 in stolen Bitcoin to two registered charities (which promptly returned the money). The pose was that this was an operation run by adults rather than degenerates.
In practice the rules were observed inconsistently and the moral framing was a transparent risk-management strategy: avoid headlines that would attract Western law enforcement.
The malware
The DarkSide locker was a hybrid Salsa20 + RSA-1024 design with a Linux/ESXi variant and a flexible affiliate panel. Notable features:
- Configurable per-build encryption modes, including partial encryption for speed.
- Hardcoded language checks that aborted execution on systems set to CIS-region locales.
- A polished negotiation portal with chat, ransom timers, and a Twitter-aware media strategy, the operators sometimes contacted journalists directly to publicise victims who refused to pay.
- A leak site with bidding mechanics for unsold data.
The Colonial Pipeline attack
On 7 May 2021 a DarkSide affiliate compromised Colonial Pipeline, the operator of a 5,500-mile pipeline supplying nearly half of the US East Coast’s transportation fuel. The intrusion appears to have started with a single legacy VPN account that lacked multi-factor authentication. Within hours, the attackers had stolen approximately 100 GB of data. Encryption was deployed against the IT environment.
Colonial elected to shut down the pipeline as a precaution while it assessed the impact, triggering fuel shortages, panic-buying, and price spikes across the southeastern US. Within days, the company paid a $4.4 million ransom in Bitcoin. The decryptor was reportedly so slow that Colonial relied largely on its own backups for restoration.
The political response was unprecedented. President Biden gave a televised address. The FBI and Justice Department later recovered roughly $2.3 million of the ransom by seizing the private key to a wallet held by the attackers. The Treasury issued sanctions advisories. CISA, the TSA, and the White House cybersecurity team issued an avalanche of guidance. For the first time, ransomware was unambiguously framed as a national security issue at the highest level of US government.
The unraveling
Within 72 hours of the attack going public, DarkSide’s operators announced they had "lost access" to their own infrastructure. Servers went offline. Affiliate funds in the operation’s escrow were frozen. The brand’s leadership posted statements claiming they had been a victim of unspecified law-enforcement action and that their goal had only ever been to make money, not to "create problems for society."
The dominant assessment among researchers is that the operators had not in fact been seized, there is no public evidence of a US action against the actual infrastructure at that time, but had been pressured by Russian-affiliated forum administrators or upstream protectors to disappear. The Colonial Pipeline attack had violated the implicit deal that protects Russian-based ransomware operators: do not attack things that get the FBI’s full attention.
DarkSide ceased operations in mid-May 2021.
The BlackMatter rebrand
In late July 2021, a new operation called BlackMatter announced itself on the same Russian-language forums. The operators denied any direct connection to DarkSide while leaning heavily on the credibility of "DarkSide and REvil techniques." Code overlaps with DarkSide were quickly found. Researchers and the US government agreed: DarkSide had rebranded.
BlackMatter went after agriculture and other critical-infrastructure sectors despite public assurances it would not, hit New Cooperative and Olam, and was hammered by a continuous stream of public attribution from CISA. By November 2021 BlackMatter announced it too was shutting down, "due to pressure from the authorities."
The BlackCat lineage
The third stop on the same operators’ tour was BlackCat/ALPHV, which launched a few weeks later in late November 2021 with a fresh Rust-based locker. The same TTPs, the same infrastructure patterns, and several of the same affiliates carried through. As covered in our BlackCat profile, that operation eventually collapsed in early 2024 after the Change Healthcare attack and exit scam. If you trace the line, DarkSide → BlackMatter → BlackCat is one continuous operator team across roughly three and a half years.
Why DarkSide matters
DarkSide is short-lived but pivotal for three reasons. It produced the first ransomware attack to cause a visible national crisis in a major Western country, redrawing the policy landscape overnight. It demonstrated the precise threshold at which Russian-based operators get pulled off the field, and that threshold is "fuel-line outages on US TV," not "ransomware in general." And it kicked off the multi-rebrand pattern that has become the standard survival strategy for criminal operations whose brand becomes too radioactive to keep using.
The brand is gone three times over now. The lessons are still in active use.