Less than 24 hours after President Joe Biden announced that the U.S. would seek to disrupt the operations of those responsible for the Colonial Pipeline attack, the gang in question seems to be ducking for cover—and claims it will shut down its criminal operation, at least for now.
In posts made online Thursday, the ransomware gang DarkSide said that large parts of its IT infrastructure had been targeted by an “unknown law enforcement agency” and that some amount of its cryptocurrency had been seized, a new report from security firm Intel471 shows. Security researchers spotted the announcements on an underground forum, where the gang claimed that its “name-and-shame blog, ransom collection website, and breach data content delivery network (CDN) were all allegedly seized, while funds from their cryptocurrency wallets allegedly were exfiltrated.”
The gang further announced that it would be shutting down operations and issuing decryptors to all of its affiliates “for the targets they attacked.” An excerpt of the note, shared by Intel471, reads as follows:
A couple of hours ago, we lost access to the public part of our infrastructure, in particular to the
At the moment, these servers cannot be accessed via SSH, and the hosting panels have been blocked.
The hosting support service doesn’t provide any information except “at the request of law enforcement authorities.” In addition, a couple of hours after the seizure, funds from the payment server (belonging to us and our clients) were withdrawn to an unknown account.
After detailing its plans to shut down operations, the group then explicitly mentioned the U.S. as having added “pressure” to their situation:
In view of the above and due to the pressure from the US, the affiliate program is closed. Stay safe and good luck. The landing page, servers, and other resources will be taken down within 48 hours.
If this is all true, it’s a swift turnaround for DarkSide—which rocketed to notoriety last week when it successfully crippled the network of Colonial Pipeline, thus managing to extort America’s largest oil and gas conduit for a reported $5 million. Until now, the gang has run a prolific ransomware-as-a-service business, wherein it loaned out its malware to criminal “affiliates,” who then conducted cyberattacks on its behalf. In the RaaS model, affiliates get paid some amount of the cut from every successful ransom secured.
According to the Intel471 report, the incident appears to have set off a shudder throughout the ransomware community, with other cybercrime forums and groups alleging similar “takedowns” and announcing new restrictions on operations. However, whether this is actually the result of some sort of law enforcement crackdown is unclear.
By the same token, not everyone agrees that DarkSide is actually telling the truth about its plans.
Kimberly Goody, senior manager of Financial Crime Analysis at FireEye’s Mandiant, said in a statement shared with Gizmodo that her company has not yet been able to verify the claims. Instead, she said, there is some online speculation that it could be a scam:
Mandiant has observed multiple actors cite a May 13 announcement that appeared to be shared with DARKSIDE RaaS affiliates by the operators of the service. This announcement stated that they lost access to their infrastructure, including their blog, payment, and CDN servers and would be closing their service…We have not independently validated these claims and there is some speculation by other actors that this could be an exit scam.
At any rate, if the gang is indeed retreating into the digital underworld, it’s likely that it will eventually regroup and resume operations at some point in the future, experts say. “A number of the operators will most likely operate in their own [close-knit groups, resurfacing under new names and updated ransomware variants,” Intel471 says.