The criminal group linked to a cyberattack that disrupted gasoline delivery across parts of the southeastern U.S. this week has told hacking associates that it is shutting down, according to security research firms.
A website operated by ransomware group DarkSide, which U.S. officials have said they believe originates in Eastern Europe, has been down since Thursday.
DarkSide has told associates it has lost access to the infrastructure it uses to run its operation and would be closing, citing disruption from a law-enforcement agency and pressure from the U.S., according to security firms
and Intel 471.
DarkSide didn’t respond to requests for comment earlier in the week made through its web site before it was shut down.
It isn’t uncommon for ransomware groups such as DarkSide to disband, only to pop up later under a different name. It couldn’t be determined if the U.S. had any role in DarkSide’s claimed disruption or if the disruption was authentic. It is also possible DarkSide plans to close and simply reopen under another name.
“I wouldn’t be surprised if DarkSide has just said, ‘It is way too hot,’ and they decided to pull the pin on themselves,” said Winston Krone, the chief research officer with Kivu Consulting, Inc., a company that helps victims respond to ransomware incidents.
The FBI didn’t respond to a request for comment. The Justice Department declined to comment.
Colonial Pipeline Co., the operator of a critical gasoline pipeline to the Eastern U.S., became a DarkSide victim this week and paid close to $5 million to the hackers, according to people familiar with the matter. The company shut down the pipeline May 7 and restarted it Wednesday.
A European subsidiary of Toshiba Corp. said Friday it was hit by a cyber attack. The company told Reuters it believed DarkSide was behind the attack.
President Biden on Thursday said his administration was “in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks” and would “pursue a measure to disrupt their ability to operate,” though he didn’t elaborate. Asked if he would rule out whether the U.S. would respond with cyber operations, Mr. Biden replied “no.”
Mr. Biden also said he expected to speak to Russian President Vladimir Putin soon about the country tolerating criminal hacking enterprises within its borders. Cybersecurity experts and U.S. officials have said that has allowed international cybercrime originating from Russia to flourish unhindered for years.
Some former U.S. officials said they wouldn’t be surprised if DarkSide’s computer infrastructure was seized or taken offline by U.S. authorities, and said that Moscow may have tacitly endorsed such an operation.
“Historically, significant Russian cyber attacks have had some element of government direction,” said Sumon Dantiki, a former senior FBI official who specializes in cybersecurity issues at the law firm King & Spalding. “In contrast, this appears to be an attack on critical infrastructure by a criminal group with the Russian government left to deal with the fallout.”
In less than a year, DarkSide had gone from a relative unknown in the growing criminal enterprise of ransomware to one of the biggest and most consequential operators, security researchers say. The group has grown by recruiting “affiliates”—hackers who will penetrate online networks of businesses or public institutions—with whom it works to disrupt operations. The group splits the ransom money with such affiliates, taking a percentage of the funds, security researchers say.
DarkSide’s criminal efforts brought in at least $60 million in the first seven months of operation, with $46 million of it coming in the first quarter of 2021, according to blockchain research firm Chainalysis Inc. Because Chainalysis has an incomplete picture of all of DarkSide’s activities, the ransomware gang’s total haul was likely larger, the company said.
The Colonial pipeline hack marked another major financial score for DarkSide, albeit one that drew significant scrutiny and would have made it difficult to collect payments, according to security researchers
On Monday, the group issued a brief statement on its website saying it was apolitical and would take greater steps to moderate which targets it hit in the future. “Our goal is to make money and not creating problems for society,” the group wrote on its website.
The shutdown may create challenges for companies who are trying to recover from an infection of the DarkSide ransomware. DarkSide encrypts the contents of victims’ computers, making them unusable. But the hackers are promising to provide decryption software at some time in the future, according to their statement.
Ransomware is part of an emerging and profitable criminal business that generated more than $400 million in income in 2020, according to Chainalysis. Hacking groups like DarkSide have reinvented the process through which criminal networks extort victims. Security researchers call their work ransomware-as-a-service. They make their money by offering customers—criminal hackers—a way to deploy their illegal software and extort victims via a well-designed web interface.
The affiliates are the ones who break into corporate networks, and they get most of the ransom payments—usually around 75%, according to FireEye. DarkSide writes the software, they bill the victims, host stolen data, and even handle tech support and media relations, researchers say.
Starting in November, DarkSide began to recruit affiliates on two Russian-language hacking forums, according to security firms. Candidates would have to pass an interview and prove that they could break into networks that would deliver the kind of six- or seven-figure payments that DarkSide expected. They would then get access to a customized web page—essentially a criminal cloud-computing service—where they could manage their online extortion efforts, according to Kimberly Goody, a senior manager of analysis at FireEye Inc.
Like many technology startups, DarkSide poured some of its revenue into developing new features, according to its posts in forums. In March it introduced DarkSide 2.0, an update to its service that came with a “call on us” feature that let users make internet-based calls for free to victims, according to an analysis of forum posts by threat intelligence firm Kela Research and Strategy Ltd.
The group initially appeared to seek a low profile by saying it would avoid attacks in Russia and by pledging not to install its malicious software on hospitals, schools and non-profit organizations. It also at one point said it would host stolen data on servers in Iran, and then it backtracked due to concerns that it might violate U.S. sanctions, according to a post that was previously on its website.
Given DarkSide’s new notoriety, other victims may be unlikely to pay, and DarkSide may not have been aware of the extent to which its operation would be threatened by this attack, according to security researchers.
“They probably didn’t fully think this one through,” FireEye’s Ms. Goody said.
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8