In the midst of this, the DarkSide ransomware gang shut down their operations and went underground, seemingly spooked by the high level of scrutiny the group has received. The group took down its public-facing “name-and-shame” blog and their cryptocurrency wallets were drained.

Just because DarkSide shuttered operations does not mean that those who have worked alongside DarkSide are retreating. Many of the most potent ransomware gangs in 2021 operate using a Ransomware-as-a-Service (RaaS) model, where crews behind the development and maintenance of the ransomware partner with freelance cybercriminals in order to break into corporate and other high-value networks. These freelancers, typically referred to as “affiliates,” are responsible for the ransomware’s distribution. These affiliates are temporary partners of the ransomware gang and may work for several ransomware gangs at a given time. Profits from the criminal scheme are divvied up between the gang and the affiliate, with the affiliate typically taking a larger share of the proceeds.

Following the Colonial Pipeline incident, it appears that the DarkSide gang as we currently know it has, at least for the moment, closed down shop. Many of their affiliates, however, are likely to continue operating, reaching out to other ransomware gangs in order to monetize their access.

Using Maltego and Intel 471 data, we can begin to form a picture of some of the known DarkSide affiliates. 

Read more : https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/