WASHINGTON – Russia-based cyber extortionist Darkside appeared out of business yesterday after unknown actors shut down the servers of the group, which had forced the closure of a large United States oil pipeline in a multimillion-dollar ransomware scam.
US cybersecurity firm Recorded Future said Darkside admitted in a web post that it lost access to certain servers used for its blog and payments.
Recorded Future threat intelligence analyst Dmitry Smilyanets said he found a Russian-language comment on a ransomware website ostensibly from “Darksupp”, described as the operator of Darkside.
“A few hours ago, we lost access to the public part of our infrastructure, namely, blog. Payment server. DOS servers,” said Darksupp in a post.
Accessed via TOR on the dark web, the Darkside site address showed a notice saying it could not be found.
Recorded Future reported that the Darkside operator also said cryptocurrency ransom payments have been withdrawn from its servers, dealing a setback to a group that had marketed itself as a formal business for hijacking victims’ IT systems until they paid to unlock them.
Speculation focused on who could have taken down Darkside’s computers after it had spent the past half-year extorting millions of dollars from companies that fell victim to its ransomware.
Some suspected that the US military’s Cyber Command took action, pointing to the Twitter account of the Pentagon’s 780th Military Intelligence Brigade, a hacking unit that retweeted the Recorded Future report shortly after it came out.
Asked in a congressional hearing yesterday if it is taking action against Darkside, Cyber Command commander General Paul Nakasone said he will not discuss the unit’s operations.
The Darkside episode came as ransomware actors continue to wreak havoc across the globe.
Ireland’s health authority yesterday said it has shut down its computer systems after experiencing a “significant ransomware attack”.
And another extortionist group, Babuk, continues to release sensitive online files stolen from Washington metropolitan police. It has demanded a seven-figure payout from the main security body of the US capital city.
Darkside, which surfaced online late last year, was behind the attack last week on Colonial Pipeline that forced the shutdown of its network shipping gasoline, diesel and aviation fuel across much of the eastern half of the US.
It sparked fuel shortages and long lines at gas stations across much of the southeast.
On Thursday, Colonial said it has resumed fuel deliveries along its 8,850km pipeline amid unconfirmed reports it paid Darkside US$5 million (RM20.63 million) to end the cyber siege.
The attention that the shutdown brought to Darkside, and the apparent attack on it, appeared to spark turmoil in the flourishing ransomware “industry”, in which hackers and owners of ransomware software and payment operations openly collaborate on mainly Russian-language forums.
US President Joe Biden said even though American intelligence did not link the Russia-based hackers to Moscow, he will nevertheless bring up the issue with his Russian counterpart, Vladimir Putin, at a summit tentatively planned in the coming months.
One such forum, XSS, on Thursday announced a ban on sales and rentals of ransomware, according to cybersecurity company Digital Shadows.
Elliptic, a specialist in cryptocurrency business and blockchain systems, said it has tracked down the bitcoin wallet used by Darkside to receive some payments.
It said the wallet received a payment of 75 bitcoins (US$3.8 million) from Colonial on May 8.
The wallet, active since March 4, has received a total of 57 bitcoin payments worth US$17.5 million, it added.
Security firms said despite Darkside appearing to have shut down, there remains the possibility of it reconstituting under another name, or that others could continue to use its software. – AFP, May 15, 2021