DarkSide, the group behind the infamous ransomware used in the attack against Colonial Pipeline that caused a national panic and sent gas prices soaring, stated on May 13 that they were immediately ceasing operations.
DarkSide operators promised to issue decryptors for all ransomware targets and compensate for outstanding financial obligations by May 23. While news of the group's capitulation is welcomed, the danger associated with the threat actors that use its ransomware has not necessarily been neutralized.
DarkSide operates as a ransomware-as-a-service (RaaS), and its developers receive a share of the proceeds from its deployment by other malicious cyber actors known as affiliates. On May 11, 2021, FireEye released a Threat Intelligence report on the Tactics, Techniques, and Procedures (TTPs) used by three different Darkside affiliates they identify as UNC2465, UNC2628, and UNC2659.
Article Link: DarkSide is Standing Down, But Its Affiliates Live On | RiskIQ