DarkSide Ransomware Gang Says It Has Shut DownColonial Pipeline Attack Used DarkSide Malware
The gang behind DarkSide ransomware, which U.S. authorities say was used in the attack against Colonial Pipeline Co., says it's closed its ransomware-as-a-service operation after losing access to part of its infrastructure.
See Also: 2022 Unit 42 Incident Response Report
In a message posted Thursday night to its "wall of shame" website, where it has previously leaked data from some attacks, the gang stated: "A couple of hours ago, we lost access to the public part of our infrastructure, in particular to the blog, payment server, CDN servers. At the moment, these servers cannot be accessed via SSH, and the hosting panels have been blocked," DarkSide wrote, according the security firm Intel 471.
DarkSide apparently recently received a $5 million ransom from Colonial Pipeline, according to the research firm Elliptic. The firm said that on Friday, it identified the bitcoin wallet the ransomware group used to receive ransom payments from its victims. "Based on our intelligence collection and analysis of blockchain transactions, this wallet received the 75 BTC [bitcoin] payment made by Colonial Pipeline on May 8, following the crippling cyberattack on its operations - leading to widespread fuel shortages in the US," says Tom Robinson, Elliptic's co-founder and chief scientist.
In its Thursday announcement, the gang behind the ransomware-as-a-service operation told affiliates that it will issue each of them decryption tools to give to all victimized companies that have not yet paid a ransom, and it will compensate the affiliates for the lost ransom income.
"In view of the above and due to the pressure from the U.S., the affiliate program is closed. Stay safe and good luck," the gang stated in its posting, Intel 471 reports. "The landing page, servers and other resources will be taken down within 48 hours."
Several security sources have confirmed that some parts of DarkSide's data leak site were offline as of Thursday night.
"DarkSide announced they are no longer in control of their site; however, it is unknown if this was the result of law enforcement actions," says Tom Hoffman, senior vice president of intelligence at the security firm Flashpoint. "Flashpoint detected the main site went down yesterday, but there are portions of their site that are still functioning."
Some other cybercrime groups have announced shutdowns only to reemerge, sometimes with a new name.
On May 7, Colonial Pipeline was hit with ransomware, later identified as DarkSide, which led the company to shut down operations. It began resuming operations Wednesday.
The pipeline shutdown cut off gasoline and other fuel supplies to a large portion of the East Coast.
President Joe Biden said on Thursday that the Russian government was not involved in the Colonial Pipeline attack but that criminals living in Russia were involved.
Other Ransomware Gangs
Earlier this week, the Babuk gang, which hit the Washington, D.C. Metropolitan Police Department in April, claimed to have handed over its ransomware source code to another group and said it would no longer wage attacks. But it said it would continue to develop malicious code for others to use.
Flashpoint reports that in the aftermath of DarkSide's decision to shut down operations, the REvil ransomware gang has issued new ground rules for its operation. It posted on its darknet website that it would refrain from attacking healthcare, educational and government institutions.
Meanwhile, the Russian language cybercrime forum XSS said it would no longer accommodate ransomware-related communications, Flashpoint says. Ransomware gangs - including REvil, Babuk, DarkSide, LockBit, Nefilim and Netwalker - have used the forum as a place to recruit affiliates, Flashpoint says.