[4] DarkSide and REvil use similarly structured ransom notes and the same code to check that the victim is not located in a Commonwealth of Independent States (CIS) country.
[13] According to Trend Micro Research data, the United States is by far DarkSide's most targeted country, at more than 500 detections, followed by France, Belgium, and Canada.
Cybersecurity firm Mandiant, a subsidiary of FireEye, has documented five clusters of threat activity that may represent different affiliates of the DarkSide RaaS platform, and has described three of them, referred to as UNC2628, UNC2659, and UNC2465.
Additionally, DarkSide is known to operate with a level of professionalism, as analysts have noted that the hacker group has a press room, mailing list, and victim hotline found on their website.
[2] The group "has publicly stated that they prefer to target organizations that can afford to pay large ransoms instead of hospitals, schools, non-profits, and governments.
[8] DarkSide ransomware hit the IT managed services provider CompuCom in March 2021, costing over US$20 million in restoration expenses; it also attacked Canadian Discount Car and Truck Rentals[21] and Toshiba Tec Corp., a unit of Toshiba Corp.[22] DarkSide extorted money from the German company Brenntag.
[12] Following the attack, DarkSide posted a statement claiming that "We are apolitical, we do not participate in geopolitics...Our goal is to make money and not creating problems for society.
[6] On 14 May 2021, in a Russian-language statement obtained by the cybersecurity firms Recorded Future, FireEye, and Intel 471 and reported by the Wall Street Journal and The New York Times, DarkSide said that "due to the pressure from the U.S." it was shutting down operations, closing the gang's "affiliate program" (the intermediary hackers that DarkSide works with to hack).
[16][25] The specific "pressure" referred to was not clear, but the preceding day, U.S. President Joe Biden suggested that the U.S. would take action against DarkSide to "disrupt their ability to operate.
[16] Cybersecurity experts cautioned that DarkSide's claim to have disbanded might be a ruse to deflect scrutiny,[16] and possibly allow the gang to resume hacking activities under a different name.
[26] By April 2022, the Federal Bureau of Investigation (FBI) released an advisory that several developers and money launderers for BlackCat had links to two defunct ransomware as a service (RaaS) groups – DarkSide and BlackMatter.