The criminal cyber cartel accused of the ransomware attack on a U.S. pipeline that caused gasoline shortages for motorists this week has said it is shutting down, according to cybersecurity researchers.
The news comes after the Colonial Pipeline Company paid hackers a ransom worth nearly $ 5 million as it worked to restart its 5,500-mile network, people familiar with the matter said.
DarkSide, the suspected Russia-based group that the FBI said was responsible for the attack, told its affiliates it was shutting down its services, said FireEye, a cybersecurity group appointed to investigate the incident.
So far, DarkSide has maintained the ransomware but also leased it to others through an affiliate program, taking a share of the proceeds from attacks that take control of an organization’s data or software systems and block it out. owners using encryption until payments are made.
In an article on the Dark Web, found by researchers at Recorded Future and seen by the Financial Times, he also said he had lost control of much of his public infrastructure – including his Dark Web blog and the server he uses to accept ransom payments – and that his crypto funds had been seized.
“The post cited pressure from law enforcement and pressure from the United States for this decision,” said Kimberly Goody, senior director of financial crime analysis at Mandiant Threat Intelligence branch. by FireEye.
It is not known whether the disruption of the group’s infrastructure was led by authorities, and also whether DarkSide was going offline in order to resume operations at a later stage under another pretext, known as the “scam.” exit”.
US President Joe Biden mentionned he has “good reason” to believe that the DarkSide hackers were based in Russia, but that he did not believe that Moscow was directly responsible.
“We have been in direct communication with Moscow on the imperative for the countries responsible to take decisive action against these ransomware networks,” he said Thursday.
Colonial paid a ransom to hackers using the cryptocurrency, said two people familiar with the matter. “It was a number of Bitcoin it was a hair of less than $ 5 million, ”said one of the people.
Colonial started the process to bring the pipeline – a central artery for fuel delivery to the eastern United States – back online Wednesday. On Thursday, it announced that it had restarted the entire system and started delivering products to all of its markets. He did not respond to a request for comment on the ransom payment.
The crisis has reignited debate over whether there should be a blanket ban on victims paying ransoms. White House press secretary Jen Psaki said on Thursday that the federal government continued to argue that paying ransoms only encouraged such blackmail activity and urged companies to strengthen their defenses. The FBI advises against payments.
Ransomware gangs earned at least $ 18 billion in ransoms in 2020, according to cybersecurity group Emsisoft, as hackers took advantage of employees’ shift to remote work and the resulting cyber vulnerabilities. The average payout is around $ 150,000, according to data from Emsisoft.
Authorities face increasing public pressure to hunt and prosecute attackers. Last Saturday, a group of tech companies, along with US agencies such as the FBI, disrupted DarkSide by shutting down the US-based servers they used to store data before sending it to Russia, according to two people. close to the situation. . Colonial’s withdrawal and ransom payment was first reported by Bloomberg.
James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, said there was a discussion about whether to go one step further and hack criminal ransomware gangs, known as “hacking.” return”.
“People are talking about hackback – it’s back on the radar and it’s probably due to the colonial incident.”