DarkSide / BlackMatter Ransomware: Threat Actor Profile
DarkSide's public lifetime was short but its impact was outsized — the Colonial Pipeline attack made ransomware a national-security issue. It took $90M+ in Bitcoin before rebranding as BlackMatter. A full profile.
Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.
DarkSide's public lifetime was short, but its financial and strategic impact was outsized because of the Colonial Pipeline attack and the subsequent mainstream realization that ransomware could create national-level disruption. Elliptic estimated DarkSide had taken in over $90 million in Bitcoin ransom payments.
DarkSide: at a glance
- Aliases: DarkSide; BlackMatter (assessed rebrand / close successor)
- Country / affiliation: Russian-speaking criminal ecosystem
- Assessed status (as of July 2026): Brand inactive; lineage rebranded
- Primary objectives: Big-game ransomware extortion and data theft
- Financial destruction / gain: >$90 million in Bitcoin ransom payments to DarkSide wallets, per Elliptic
- Type: ransomware-as-a-service (RaaS) (big-game ransomware)
Who is DarkSide?
After the Colonial incident, DarkSide announced it was shutting down; researchers and Microsoft later assessed BlackMatter as a rebrand or close successor. In 2026 the DarkSide brand itself is inactive, but the lineage mattered because it fed later ransomware-as-a-service (RaaS) evolution, including ALPHV/BlackCat.
Aliases and attribution
DarkSide operated a professional ransomware-as-a-service (RaaS) affiliate model within the Russian-speaking cybercrime ecosystem, even publishing a 'code of conduct' barring attacks on hospitals. After Colonial, the brand dissolved and re-emerged as BlackMatter; the lineage is widely discussed as flowing onward toward ALPHV/BlackCat — a recurring pattern in ransomware cyber attribution where brands die but operators persist.
Financial impact and damage
Elliptic tracked more than $90 million in Bitcoin ransom payments to DarkSide wallets from around 47 victims. The May 2021 Colonial Pipeline attack triggered fuel shortages across the U.S. East Coast and put ransomware on every government's agenda; the DOJ later seized a large portion of the ransom. The strategic fallout — new national cyber policy — far exceeded the dollar figure.
DarkSide timeline
- 2020: DarkSide gains traction as a professional RaaS
- 2021: Colonial Pipeline incident triggers U.S. fuel shortages
- 2021: DOJ seizes part of the Colonial ransom
- 2021: DarkSide shuts down; BlackMatter emerges as successor
Notable attacks and campaigns
The Colonial Pipeline attack (May 2021) is the defining example of ransomware causing physical, national-scale disruption, prompting emergency declarations and reshaping U.S. cyber policy. DarkSide's affiliate later exfiltrated data before encrypting — the maturing double-extortion model that BlackMatter and peers repeated.
Tactics, techniques, and procedures (TTPs)
The techniques below are compact, high-confidence mappings to the MITRE ATT&CK framework, drawn from the group's MITRE ATT&CK profile and corroborating government and vendor reporting. The live ATT&CK matrix remains the authoritative reference for full coverage.
- T1486 — Data Encrypted for Impact: DarkSide's core model was enterprise encryption for extortion. Detect sudden parallel encryption and ransom-note drops.
- T1041 / exfil-then-encrypt — Exfiltration over C2 / double extortion: DarkSide followed the exfiltrate-then-encrypt pattern later repeated by BlackMatter. Alert on Rclone-like egress and staging directories before encryption.
- T1078 — Valid Accounts: Colonial and peer attacks hinged on credential abuse and remote-access misuse. Enforce MFA and monitor remote logins from new ASN / geo patterns.
Detection and defense against DarkSide
DarkSide's kill chain — stolen remote-access credentials, exfiltration, then encryption — is the archetype for big-game ransomware defense:
- Enforce MFA on all remote access and monitor logins from new ASN / geographic patterns.
- Alert on Rclone-like data egress and staging directories preceding encryption.
- Detect sudden parallel encryption and ransom-note drops.
- Protect backups against deletion and VSS impairment.
- Segment critical OT/ICS from IT networks to prevent operational shutdowns like Colonial.
The bottom line
DarkSide's Colonial Pipeline attack turned ransomware into a national-security issue overnight; though the brand is gone, its lineage runs straight through the modern RaaS ecosystem. See how DarkSide ranks among the most dangerous threat actors, and track its latest activity on our live threat intelligence feed, aggregated from dozens of authoritative sources.
Frequently asked questions
What is DarkSide ransomware?
DarkSide was a Russian-speaking ransomware-as-a-service operation active in 2020-2021, best known for the Colonial Pipeline attack. After shutting down, it is assessed to have rebranded as BlackMatter.
What was the Colonial Pipeline attack?
In May 2021, a DarkSide affiliate attacked Colonial Pipeline, forcing a shutdown that caused fuel shortages across the U.S. East Coast and making ransomware a top national-security priority.
How much did DarkSide make?
Elliptic estimated DarkSide received more than $90 million in Bitcoin ransom payments from around 47 victims. The DOJ later recovered a large portion of the Colonial ransom.
Is DarkSide still active?
No. The DarkSide brand shut down after Colonial Pipeline, re-emerging as BlackMatter; the lineage is widely assessed to have fed later operations such as ALPHV/BlackCat.
Primary sources & further reading
This guide is reviewed and fact-checked against authoritative primary sources: