The criminal gang behind the destabilising Colonial Pipeline ransomware attack has announced its closure, but threat analysts suspect the group will resurface under a new name and with new ransomware variants.
Despite massive backlash from the US government and international law enforcement agencies, the DarkSide cybercrime gang appears to be shutting down operations.
The DarkSide ransomware-as-a-service infrastructure, as well as a naming-and-shaming website used by the criminal group to pressure victims during extortion talks, has gone offline, according to several threat hunters monitoring darkweb communications.
Intel471, a security firm that monitors malicious activity on the dark web, claims to have checked a “announcement” from DarkSide that the company will “immediately cease operations” and provide data decryptors to all victims. The group says that an unnamed law enforcement agency disrupted part of its infrastructure in a statement posted in Russian.
According to Intel471, the group’s name-and-shame blog, ransom collection website, and breach data content distribution network (CDN) were all allegedly confiscated, and funds from their cryptocurrency wallets were allegedly exfiltrated.
The DarkSide announcement, which claims the offenders “lost access to their resources, including their blog, payment, and CDN servers and will be closing their operation,” was also seen by FireEye researchers.
The post cited law enforcement pressure and pressure from the United States for this decision. @Mandiant has not independently validated these claims and there is some speculation by other actors that this could be an exit scam. (3/3)
— FireEye (@FireEye) May 14, 2021
FireEye, on the other hand, states that it has not independently checked the claims and warns that it may be part of a “escape scam.”
In the past, cybercriminal groups have shut down activities in reaction to law enforcement action, only to reopen under a new name and with new online infrastructure.
The status of live, continuing talks on ransomware payments and data decryption tools is another possible complication with a DarkSide shutdown. “A large number of tainted businesses are in contact with these [Darkside affiliates].” According to a source monitoring the ransomware outbreak, “if they go dark, it might really hinder recovery attempts all over the world.”
Intel471 claims to have seen rival ransomware-as-a-service gangs go silent, but warns that, like FireEye, ransomware extortion attacks aren’t going anywhere anytime soon.
“It’s more likely that these ransomware creators are attempting to flee the spotlight than they are unexpectedly realising their mistakes. According to the firm, “a number of the operators will most likely operate in their own closed-knit communities, resurfacing under new names and revamped ransomware variants.”
Intel471 claims that the operators will devise new methods for “washing” the cryptocurrency they receive from ransom payments.
Colonial Pipeline paid a $5 million ransom to the DarkSide cybergang, according to news of the alleged shutdown.
The ransomware used in the Colonial Pipeline attack, according to threat intelligence firm Flashpoint, is a version of the infamous REvil ransomware, with moderate trust based on code analysis.
Separately, a Chainalysis analysis of ransomware transactions discovered that 15% of all extortion payments posed a danger of sanctions breaches in the United States.