The DarkSide ransomware gang, who drew unprecedented global coverage this week after encrypting Colonial Pipeline’s systems and extracting $5 million as ransom payment, has announced it is shutting shop as its servers and cryptocurrency accounts were allegedly seized “at the request of law enforcement agencies.”
The DarkSide ransomware group operates as per the now-popular ransomware-as-a-service model. What this means is that the group lets third parties use its ransomware variant to extract money from victims and receives a share of the money in return.
Earlier this week, Bloomberg reported that Colonial Pipeline agreed to pay a ransom of $5 million to the ransomware group, hours after the company learned the group had encrypted its systems using a ransomware variant. German chemical distribution giant Brenntag also paid $4.4 million to the group after a ransomware attack crippled its IT network in North America.
Soon after it became known that the two companies had paid a ransom to DarkSide, the hacker group unexpectedly announced that it had ceased operations, stating that its public blog, ransom collection website, and breach data content delivery network (CDN) were seized at the request of a law enforcement agency.
The group’s online announcement, which was accessed by Intel 471, stated that funds from its payment server were withdrawn to an unknown account and that it had lost access to all of its servers and hosting panels. “The hosting support service doesn’t provide any information except “at the request of law enforcement authorities,” the group said.
“The following actions will be taken to solve the current issue: You will be given decryption tools for all the companies that haven’t paid yet. After that, you will be free to communicate with them wherever you want in any way you want. Contact the support service. We will withdraw the deposit to resolve the issues with all the affected users.
“The approximate date of compensation is May 23 (due to the fact that the deposit is to be put on hold for 10 days on XSS). In view of the above and due to the pressure from the US, the affiliate program is closed. Stay safe and good luck. The landing page, servers, and other resources will be taken down within 48 hours,” DarkSide added.
The Babuk ransomware group, which was behind the recent ransomware attack on the District of Columbia’s Metropolitan Police Department, also announced that it is shutting shop and would hand over the ransomware’s source code to another team. The group would, however, continue to publish the list of victim companies and switch to a private mode of operation.
According to Intel 471, the administrator for one of the most popular Russian-language cybercrime forums has also announced a ban on all ransomware-related activity that includes advertising, sales, ransom negotiation services, and similar offers. The administrator said ransomware operations were becoming “more and more toxic” and dangerous for the underground community.
Similarly, the operators of the REvil ransomware and the Avaddon RaaS programme have also announced they would stop promoting their malware on hacker forums and would likely switch to a private mode of operation. Intel 471 says that while these actions were probably the result of the reaction related to the high-profile ransomware attacks covered by the media this week, it’s more likely that hackers are trying to retreat from the spotlight more than suddenly discovering the error of their ways.
“A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants. Additionally, the operators will have to find a new way to “wash” the cryptocurrency they earn from ransoms.
“Furthermore, there will be ransomware operators that continue with their own operations despite all of this week’s attention. On the same day as the coordinated announcements from REvil and Avaddon: Ireland’s health service operator had to shut down all of its IT systems due to a “significant” ransomware attack,” the firm said.
According to Curtis Simpson, CTO of Armis, the primary reason for ransomware groups like REvil speaking on their code of ethics could be the likelihood of swift, global actions being taken against Ransomware as a service (RaaS) operators and their infrastructure. Nation States have drawn clear lines of tolerable actions and allowable targets, and commonly set examples of those that fail to stay within their lines.