DarkSide, the group behind the Colonial Pipeline cyberattack that generated fuel shortages and price increases across the United States, is shutting down. This may be due to pressure from the US government.
The cybercriminals’ group blog, that was used for naming and shaming, as well as the website used for ransom and CDN, were all confiscated. Unidentified users transferred funds from their cryptocurrency wallet to unknown accounts. DarkSide reported the events in a message posted and spread on a few hacking websites.
Dmitry Dmitry Smilyanets, a security analyst with Recorded Future Threat Intelligence, was the first to notice the post.
DarkSide stated “We lost access to the public part of our infrastructure, in particular to the blog, payment server, CDN servers … these servers cannot be accessed and the hosting panels have been blocked”.
“A couple of hours after the seizure, funds from the payment server [belonging to DarkSide and its clients] were withdrawn to an unknown account”.
DarkSide, that was first spotted in the wild in August, is a relatively new ransomware attack group. It also ran an affiliate program to assist other hacker groups in their attempts to infiltrate organizations and companies’ IT infrastructure.
It may be an effort to escape public attention and negative publicity
The organization stated that it distributed decryption software to all its partners and affiliates to recover the encrypted data.
Furthermore, they reported that their affiliate program has been closed due to U.S. government pressure. Their affiliate program is based on the ransomware-as-a-service (RaaS) model, that provides cybercriminal clients with the option of purchasing or renting ransomware to carry out attacks.
Colonial allegedly paid $5 million to hackers on Friday to regain control of its infrastructure. According to previous reports, the organization has announced that it did not intend to pay the ransom requested by hackers.