The criminal cyber cartel blamed for the ransomware attack on a US pipeline that caused fuel shortages among motorists this week has said it is shutting down operations, cyber security researchers said.
The news comes after the Colonial Pipeline Company paid a ransom to the hackers worth nearly $ 5 million while it was working to restart its 5,500-mile network, people familiar with the matter said.
DarkSide, the suspected Russia-based group the FBI said was responsible for the attack, has told its affiliates it is closing its services, said FireEye, a cyber security group appointed to investigate the incident.
Until now, DarkSide has maintained the ransomware, but has also rented it to others through a partner program, lowering the yield of attacks that take control of an organization’s data or software systems and locking out owners using encryption until payments are made. done.
In a dark web post found by Recorded Future researchers and seen by the The Washington City Times, it also said it had lost control of much of its public infrastructure – including its dark web blog and the server it uses to accept a ransom – and that his crypto funds had been seized.
“The post cited the pressure from law enforcement and the pressure from the United States for this decision,” said Kimberly Goody, senior manager for financial crime analysis at FireEye’s Mandiant Threat Intelligence division.
It is unclear whether the disruption to the group’s infrastructure was directed by the authorities, as well as whether DarkSide took itself offline with a view to later resuming operations under a different guise, known as an “exit scam”.
US President Joe Biden said he has “strong reasons” to believe that the DarkSide hackers were based in Russia, but that he did not believe Moscow was directly responsible.
“We have been in direct contact with Moscow about the need for responsible countries to take decisive action against these ransomware networks,” he said Thursday.
In a blog post on Friday, blockchain analytics group Elliptic found that Colonial had paid 75 bitcoin – or nearly $ 5 million – to a crypto wallet used by DarkSide on May 8.
The wallet had received a total of $ 17.5 million in bitcoin since it went live in early March, and much of it was laundered through small cryptocurrency exchanges or sent to Hydra, an illegal dark web marketplace that typically serves Russia and neighboring countries.
Elliptic also confirmed that the $ 5 million ransom payment had been pulled from DarkSide’s crypto wallet on Friday, although it did not specify where this had moved.
Colonial began the process on Wednesday to bring the pipeline – a central artery for delivering motor fuel to the eastern US – back online. On Thursday, it said it had rebooted the entire system and began supplying products to all of its markets. It did not respond to a request for comment on the payment of the ransom.
Twice weekly newsletter
Energy is the indispensable company in the world and Energy Source is its newsletter. Every Tuesday and Thursday, Energy Source brings you straight to your inbox, essential news, cutting edge analytics and insider intelligence. Register here.
The crisis has revitalized the discussion about whether there should be a blanket ban on paying ransom for victims. White House press secretary Jen Psaki said on Thursday that the federal government continued to argue that paying the ransom only stimulated such blackmail activities and urged companies to step up their defenses. The FBI does not recommend payments.
According to cyber security group Emsisoft, ransomware gangs made at least $ 18 billion in ransom in 2020 as hackers took advantage of employees who switched to remote working and the ensuing cyber vulnerabilities. The average payment is about $ 150,000, data from Emsisoft shows.
Authorities are facing increasing public pressure to hunt and prosecute attackers. Last Saturday, a group of tech companies, as well as US agencies such as the FBI, disrupted DarkSide by shutting down the US-based servers they used to store data before sending it to Russia, according to two people familiar with the situation. . The removal and payment of Colonial’s ransom were first reported by Bloomberg.
James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, said there was debate about whether efforts should be made to move forward and hack criminal ransomware gangs, known as “hacking back”.
“People are talking about hackback – it’s back on the radar and that’s probably caused by the colonial incident.”