← Home·Gallery·Techniques
Threat Intelligence Tarot
pentacles · 2
Criminal (Russian-speaking)
G0139
risk 5/5
The Dark Dividend
DarkSide
Carbon Spider
Colonial PipelineEnergy sectorManufacturingProfessional services
Active ~2020–2021 · Ransomware-as-a-service, Critical infrastructure extortion, Affiliate model
DarkSide shut down a 5,500-mile pipeline and triggered a national emergency - not because it wanted geopolitical chaos, but because it wanted $4.4 million. The Dark Dividend is what happens when ransomware-as-a-service affiliates operate without strategic judgment about what targets are too consequential to hit.
Tactics & Techniques
RCN
RDV
INI
EXC
PRS
PRV
EVA
CRD
DSC
LAT
COL
C2
EXF
IMP
T1486
Data Encrypted for Impact
Impact
T1489
Service Stop
Impact
T1078
Valid Accounts
Initial Access
T1567
Exfiltration Over Web Service
Exfiltration
T1003
OS Credential Dumping
Credential Access
T1548.002
Bypass User Account Control
Privilege Escalation
T1068
Exploitation for Privilege Escalation
Privilege Escalation
Notable Operations
  • Colonial Pipeline - US East Coast fuel supply disruption (May 2021)
  • Biden administration national emergency declaration
  • $4.4M ransom paid; $2.3M recovered by DOJ
  • Group disbanded after international pressure following Colonial attack
Defenses
Reversed: Their Weakness
The Colonial Pipeline attack was DarkSide's undoing - international pressure, FBI infrastructure seizure recovering most of the ransom, and sudden US government focus on ransomware as a national security issue forced the group to shut down within weeks of its highest-profile success.

Share this adversary profile

swipe to browse

← PreviousThe Silent TollNext →The Hospital Ward
Related Adversaries
The Schoolyard
Vice Society
4 shared TTPs
The Rebrand
BlackMatter
4 shared TTPs
The Locked Tower
LockBit
4 shared TTPs
Data sourced from MITRE ATT&CK. For educational purposes.