Less than 24 hours after President Joe Biden announced the United States would seek to disturb operations of those responsible for the colonial pipeline attack, the gang in question appears to be in hiding – and claims they will end their criminal operation, at least for now.
In messages posted online Thursday, the DarkSide ransomware gang said that much of its IT infrastructure had been targeted by an “unknown law enforcement agency” and that part of its cryptocurrency had been seized, a new report from intel security company471 shows. Security researchers spotted the ads on an underground forum, where the gang claimed their “ blog of name and shame, ransom collection website, and breach data content distribution network (CDN) would all have been seized, while the funds in their cryptocurrency wallets are said to have been seized. exfiltrated. “
The gang further announced that it would cease operations and issue decryptors to all of its affiliates “for the targets they attacked.” An excerpt from the note, shared by Intel471, reads as follows:
A few hours ago, we lost access to the public part of our infrastructure, in particular to the
At the moment, these servers are not accessible via SSH and the hosting panels have been blocked.
The accommodation assistance service does not provide any information except “at the request of law enforcement authorities”. In addition, a few hours after the entry, the funds from the payment server (owned by us and our customers) were withdrawn to an unknown account.
After detailing its plans to shut down operations, the group then explicitly mentioned the United States as having added “pressure” to their situation:
In view of the above and due to pressure from the United States, the affiliate program is closed. Stay safe and good luck. The landing page, servers and other resources will be deleted within 48 hours.
If all of this is true, it’s a quick turnaround for DarkSide – which rose to fame last week when it successfully crippled the Colonial Pipeline network, as well. succeed in extorting America’s largest oil and gas conduit for a $ 5 million. So far the gang has led a prolific ransomware as a service, in which he loaned his malware to criminal “affiliates”, who then carried out cyber attacks on his behalf. In the RaaS model, affiliates receive a portion of the reduction in each ransom obtained.
According to the Intel report471, the incident appears to have sparked a chill across the ransomware community, with other forums and cybercrime groups alleging similar “takedowns” and announcing new restrictions on operations. However, it is not clear if this is really the result of some sort of repression by law enforcement.
Likewise, not everyone agrees that DarkSide is actually telling the truth about its plans.
Kimberly Goody, senior director of financial crime analysis at FireEye’s Mandiant, said in a statement shared with Gizmodo that her company has yet to verify the allegations. Instead, she said, there is speculation online that it could be a scam:
Mandiant observed that several actors cite a May 13 announcement that appears to have been shared with DARKSIDE RaaS affiliates by operators of the service. This announcement stated that they had lost access to their infrastructure including their blog, payment and CDN servers and would shut down their service … We have not independently validated these claims and other players are speculating that this could be a scam exit.
In any case, if the gang does retreat to the digital underworld, it is likely that it will eventually regroup and resume operations at some point in the future, according to experts. “A number of operators will likely operate on their own[[[[tight knit groups, resurfaced under new names and updated ransomware variants, ”says Intel471.