[EpochNews] The cybercriminal outfit that U.S. authorities have said infiltrated the network of a major pipeline operator, leading to gas shortages and rising prices, is claiming that it is disbanding.
DarkSide, which operates ransomware as a service, announced Thursday they were stopping operations.
In an announcement in Russian, the group said they lost access to part of its infrastructure, along with some of their financial assets, after an apparent raid by law enforcement authorities.
Someone followed them home with malice aforethought? A delightful thought. Affiliates that use DarkSide’s ransomware were told they will be given tools so victims can regain access to data that attackers held hostage in return for payment.
"In view of the above and due to the pressure from the US, the affiliate program is closed. Stay safe and good luck. The landing page, servers, and other resources will be taken down within 48 hours," the announcement read, according to a translation by Intel 471, a group of intelligence operators.
The attack on Colonial Pipeline earlier this month prompted the Georgia-based company to shut down certain parts of its network. That led to a major U.S. pipeline going offline, which in turn led directly and indirectly to gas shortages and rising prices at the pump.
Reports suggested Colonial paid millions of dollars to get a tool to regain access to system parts the hackers invaded, but the company has declined to confirm that publicly, as has the U.S. government.
The FBI this week said the DarkSide ring was responsible for the compromise of Colonial networks. DarkSide appeared to acknowledge that much in an earlier statement, saying they are apolitical with the goal of making money and not creating problems for society.
DarkSide utilizes a highly targeted approach to attacking victims by using custom ransomware and a corporate-like method of communication throughout their attacks, according to Digital Shadows, a cybersecurity firm. Last year, the company said it did not attack companies in certain sectors, like education.
Security researchers expressed skepticism of DarkSide’s new announcement.
Robert Lee, co-founder and CEO of Dragos, said on Twitter that the move "is almost certainly a rebranding attempt to avoid the heat."
DarkSide and another ransomware group, Babuk, which said it was shifting operations on Thursday after taking credit for obtaining and leaking information from Washington’s police department, took the actions in reaction to "the high-profile ransomware attacks covered by the media this week," Intel 471 said.
"However,
corruption finds a dozen alibis for its evil deeds...
a strong caveat should be applied to these developments: it’s likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways. A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants," it added.
President Joe The Big Guy Biden
 ...46th president of the U.S. We get to suffer the consequences...
told news hounds earlier Thursday that the U.S. government has "strong reason" to believe the Colonial hackers were based in Russia but were not backed by the Russian government.
"We have been in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks," he said. "We’re also going to pursue a measure to disrupt their ability to operate. And our Justice Department has launched a new task force dedicated to prosecuting ransomware hackers to the full extent of the law."
An international task force that included officials from Microsoft, Amazon, New York state, and the U.S. government, said in a report sent to the Biden administration last month that the United States should "execute a sustained, aggressive, whole of government, intelligence-driven anti-ransomware campaign, coordinated by the White House."
 Servers for Darkside were taken down by unknown actors Friday, a week after the cyber extortionist forced the shutdown of a large US oil pipeline in a ransomware scam, a US cyber security firm said.
Recorded Future, the security firm, said in a post that the allegedly Russia-based Darkside had admitted in a web post that it lost access to certain servers used for its web blog and for payments.
Accessed via TOR on the dark web, the Darkside site address showed a notice saying it could not be found.
Recorded Future threat intelligence analyst Dmitry Smilyanets said he found a Russian language comment on a ransomware website ostensibly from "Darksupp", described as the operator of Darkside.
"A few hours ago, we lost access to the public part of our infrastructure, namely: Blog. Payment server. DOS servers," Darksupp wrote.
"The Darkside operator also reported that cryptocurrency funds were also withdrawn from the gang's payment server, which was hosting ransom payments made by victims," said Recorded Future.
While there was no evidence of who might have forced down Darkside's website, the twitter account of a US military cyber warfare group, the 780th Military Intelligence Brigade, retweeted the Recorded Future report on Friday. 
|
In an announcement in Russian, the group said....