DarkSide, the ransomware-as-a-service (RaaS) group behind the Colonial Pipeline cyberattack, says its servers have been taken offline and its funds have been seized following the high-profile breach. This could be the result of action by law enforcement agencies or a rival criminal gang, and it remains to be seen whether the group will now disappear from view or reform in a slightly different guise.
Having declared it will “speak honestly and openly” to its customers and the rest of the world, DarkSide announced on Friday on a Russian cybercrime forum that it had “lost access to the public part of [its] infrastructure, in particular to the blog, payment server and CDN servers”. It added that “a couple of hours after the seizure, funds from the payment server (belonging to us and our clients) were withdrawn to an unknown account.” The release goes on to say that the group will distribute “decryption tools for all the companies that haven’t paid yet” as well as allowing the deposits to be returned to all affected users.
The Colonial Pipeline attack disrupted 45% of the East Coast of America’s supply of diesel, petrol and jet fuel. The company reportedly paid $5m in bitcoin shortly after its online infrastructure was taken down, but the decoding key it received was said to be so slow that the engineers had to continue to use the company’s own back-ups to try to restore the system. US president Joe Biden declared a state of emergency following the breach, citing DarkSide directly in his executive order.
What is the DarkSide ransomware as a service group?
DarkSide is thought to have been active for the past four years, and is distinctive for its highly targeted approach to its victims and custom ransomware executables which are prepared for each customer. The group’s malware was one of the most commonly used in the world last year, according to research from Palo Alto Networks.
The threat from ransomware grew rapidly in 2020 and its spread shows no signs of slowing in 2021. Last year it is thought to have cost businesses $20bn in ransom payments.
What happened to DarkSide servers?
It is unclear whether DarkSide’s servers were seized by law enforcement (no agency has yet taken credit), or if an affiliated criminal gang took action to distance itself from the huge amount of attention generated by Colonial Pipeline and other recent attacks carried out by DarkSide. “The money is going backwards and forwards and it’s all part of a larger underground economy,” says Jason Hill, head of research at cybersecurity company CyberInt. “Anyone who is part of that process could say ‘DarkSide is bringing too much heat our way, we’re going to shut it down before someone kicks our door in and wrecks our business’.”
Law enforcement agencies are likely to have intensified their interest in DarkSide’s activities, Hill says. “I would imagine they’re getting heat from both angles,” he adds. “There’s certainly law enforcement interest in finding out who they are, but they’ve also got their affiliates, the people that they’re working with.”
DarkSide’s apparent shutdown has had an impact on the wider ransomware-as-a-service community. In the wake of the announcement another high-profile group REvil, perpetrators of the Quanta hack that held Apple to ransom earlier this year, decided to implement restrictions on how its malware is used in a bid to avoid a similar fate, declaring it could not be used on attacks targeting education providers and government institutions.
But for other big criminal gangs it will be business as usual, says Stefano De Blasi a researcher at cybersecurity company Digital Shadows. “The larger ones are more likely to continue in their business in some way, by either changing the ransomware they work with or the name of the ransomware,” he says. “It would make sense for them to try to quiet things down a bit before coming back in some form to keep the business going.” Those who have helped DarkSide come to prominence may be biding their time before deciding how and where to strike next.