The criminal hacking group that took down Colonial Pipeline, causing debilitating fuel shortages on the East Coast, has said in a message that it is shutting down after facing pressure from the U.S. government.
“In view of the above and due to the pressure from the US, the affiliate program is closed. Stay safe and good luck,” the group said in a message sent Thursday to partners in its ransomware business, according to a blog post by Intel471, a cybercrime intelligence firm.
But some security experts warned that the group may just be trying to take its money and run, collecting its ransom and disappearing from public view as it faces increasing heat from the high-profile attack. While Colonial has resumed pipeline operations, service stations throughout the Mid-Atlantic and Southeastern United States were still reporting short supplies of gasoline Friday.
“We have not independently validated these claims, and there is some speculation by other actors that this could be an exit scam,” Kimberly Goody, senior manager of financial-crime analysis for Mandiant, a division of the cyber firm FireEye, said in a statement.
Other ransomware gangs seemed to reevaluate their priorities as well in the wake of the sudden spotlight on DarkSide – at least in public-facing statements – voicing anxiety about what the massive hack’s “noise” and “hype” could mean for business.
Moderators on the Russian-language forum XSS, which is popular with cybercriminals, said in a post that they would remove all references to ransomware, according to a research note from digital risk-protection firm Digital Shadows. Two other ransomware groups, Avaddon and Sodinokibi, said on another forum that they would set limits on what hackers could attack using their services. Avaddon said it would no longer permit attacks on health-care organizations, public education or charities, according to Digital Shadows.
DarkSide had issued a statement earlier this week indicating that it, too, was chagrined by the disruption the Colonial Pipeline attack had caused. The FBI confirmed Monday that DarkSide was behind the ransomware hack.
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined [government] and look for our motives,” DarkSide’s statement said. “Our goal is to make money, and not creating problems for society.”
The FBI declined to comment on whether the U.S. government had played a hand in shutting down DarkSide’s website. The DarkSide Leaks blog on the “dark web” has been down since midday Thursday.
“The simplest explanation is the operators think that things have gotten a little hot and have exited that brand name,” said Michael Daniel, president and chief executive of Cyber Threat Alliance, an information-sharing nonprofit. “And they’ll reconstitute themselves under some other name.”
Daniel, a former White House cyber-coordinator in the Obama administration, added: “Not that I don’t wish it was the result of a government operation. But that seems unlikely in this situation, largely because it’s so soon.”
Cybersecurity experts expressed skepticism that the groups are shutting down or have found a new moral compass. But they did suggest that operating more privately could cut into the plague of ransomware incidents. Less-public websites listing stolen data for sale probably mean fewer buyers.
“I continue to subscribe to ‘there’s no honor among thieves,'” said Rick Holland, chief information security officer for Digital Shadows. “Generally, their morals are to support their interests and their ability to make money and continue to operate.”
DarkSide’s “ransomware as a service” business model allowed other hackers, or “affiliates,” to use its services to attack companies. The hackers would lock down computer systems so companies could no longer access them, then demand a ransom to unlock them. Often, hackers would steal some data and then insist on a second or larger ransom in exchange for not publishing the information online.
DarkSide’s website, when it was available, included a page of data from targets that presumably did not pay the ransom. It also operated a press center where reporters could register for news releases and an online registration system for victims. Companies could sign in to find out how to pay their ransom or even to get a discount on the demanded price.
The website was accessible via a Tor browser, which allows users to access websites that use a different protocol than most mainstream sites. But the site itself was rudimentary, Holland said, and probably took only a few days to set up.
That likelihood added to the skepticism that DarkSide was really gone for good. Robert M. Lee, the chief executive of cybersecurity firm Dragos, said its disappearance was probably an attempt to escape scrutiny after such a high-profile attack.
“It’s not surprising that they would want to disassociate themselves with a brand that the President of the United States mentioned on national TV,” Lee said in an email. “Most of these criminals never face any repercussions but when the value of the brand doesn’t matter as much, why take undue risk?”
Starting anew would not be difficult: By using a patchwork of hard-to-trace cryptocurrency exchanges, encrypted messaging services, foreign hosting services and other systems available on the dark web, the group could probably re-form in a matter of weeks under a new name in hopes it could escape the spotlight and fall back into the cybercriminal crowd.
Ransomware attacks have been around for years, but big groups that offer services to other hackers are a relatively new phenomenon that exploded in popularity, Holland said, after two groups became successful at the end of 2019. He said Digital Shadows was tracking two such groups at the end of 2019; that number had jumped to 20 by mid-2020.
“It’s kind of ‘monkey see monkey do.’ Everyone wanted to get in on the action,” Holland said.
Big payouts are another reason cybersecurity researchers are skeptical that DarkSide is completely gone. Ransoms can range into the millions of dollars, and a report from cyber-insurance firm Coalition found that the average ransom demand shot up to more than $338,000 in the first half of 2020.
“The business of being a bad guy on the Internet is really good,” said Oren Falkowitz, co-founder of Area 1 Security. “Imagine making $5 million from sending a few emails.”
It’s unclear exactly how much DarkSide has made from its crimes. Ransomware hackers demand that payments be made in cryptocurrency, which can make it hard for law enforcement to track. They often use different cryptocurrency “wallets” to collect each payment.
Elliptic, a London-based cryptocurrency monitoring firm, said Friday that it had identified a bitcoin wallet that DarkSide had used since March to receive millions of dollars in ransom payments from victims. The wallet was emptied of roughly $5 million in bitcoin on Thursday afternoon, Elliptic co-founder Tom Robinson said in a blog post.
Cryptocurrency research firm Chainalysis said it had determined that, through March, DarkSide had brought in at least $60 million since it popped up in August 2020.
Still, for all the ill-gotten money involved, ransomware attackers’ hacking methods are generally unsophisticated – sending phishing emails to try to get employees to click on a link or open an attachment that appears benign but contains malware.
In its message, DarkSide revealed nothing of a future site, telling its “affiliates” only that it had lost access to its Web infrastructure and payment server and would be shutting down its affiliate program. It said it had provided decryption information to the affiliates for their victims, so the affiliates could contact the companies themselves if they wanted to pursue ransom payments.