DarkSide Ransomware Operation Shuts Down and RaaS Operators Place Limits on Attacks by Affiliates

The DarkSide ransomware gang, which was responsible for the cyberattack on Colonial Pipeline that caused the shutdown of fuel pipelines supplying 45% of the fuel needs of the East Coast of the United States, has been shut down.

The group lost access to its data leak site, payment server, and DOS servers last week, and the funds in its cryptocurrency wallets have been transferred to an unknown wallet.

The Colonial Pipeline ransomware attack was a huge mistake. A cyberattack on a company is naturally a crime, but an attack on a critical infrastructure firm such as Colonial Pipeline could be classed as a terrorist attack, the consequences of which are far more severe.

Soon after the attack on Colonial Pipeline, the DarkSide ransomware gang took steps to make it clear that the attack was not conducted for political purposes, nor to cause disruption or social unrest, and that the attack was not linked to any nation state and was purely conducted for financial reasons.

On May 13, 2021, President Biden held a press conference confirming the U.S. did not believe Russia was behind the attack, but said the U.S. had strong evidence that the individuals behind the attack were based in Russia and urged countries hosting ransomware networks to take steps to shut them down. “We have been in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks,” said Biden. “We’re also going to pursue a measure to disrupt their ability to operate.  And our Justice Department has launched a new task force dedicated to prosecuting ransomware hackers to the full extent of the law.”

Also on May 13, the DarkSide ransomware group’s data leak site went offline, and the ransomware group said it was immediately ceasing the DarkSide ransomware operation. The group announced that it had lost access to the public part of its infrastructure which was “at the request of law enforcement.” The group announced that all affiliates would be given the decryption tools for all companies that had been attacked but had not yet paid the ransom and left it up to the affiliates as to what actions they should take – whether to supply the decryptors to victims free of charge or attempt to obtain ransom payments on their own. “In view of the above and due to the pressure from the US, the affiliate program is closed. Stay safe and good luck,” according to the group’s announcement.

The DarkSide ransomware gang is not the only ransomware operation to take the decision to cease operations. The operators of Babuk ransomware claim to have passed on their source code to another group and are pulling out of their Ransomware-as-a-service (RaaS) operation, although they claim the RaaS operation will continue under another name and will be operated by another team.

The REvil and Avaddon ransomware gangs have also reacted to the fallout from the Colonial Pipeline attack and are curbing their ransomware activity. They have introduced new rules on organizations and companies that cannot be attacked. REvil has banned affiliates from conducting attacks on the government, educational institutions, charities, and healthcare organizations and will require all affiliates to obtain authorization from the group before conducting attacks. Any violators will be kicked out of the RaaS operation and the attacked companies will be provided with free decryptors. The group has also said it will stop promoting its RaaS operation and may go completely private.

Some hacking forums are stopping posts about ransomware advertising, sales, ransom negotiation services as ransomware has become toxic; however, this is unlikely to be the beginning of the end of ransomware, more that ransomware gangs will become much less high profile.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news