Colonial Pipeline hackers DarkSide to shut down after losing control and money

The hacking group lost control of its infrastructure and is unable to access its funds

Colonial Pipeline reportedly paid about $5 million to hackers to regain control of its systems. EPA
Powered by automated translation

DarkSide, the group responsible for the Colonial Pipeline cyber attack that caused fuel shortages and price increases across the US, is reportedly shutting down due to "pressure" from the US government.

The group's name-and-shame blog, ransom collection website and content delivery network, or CDN, were seized while funds from their cryptocurrency wallets were transferred to unknown accounts by unidentified entities, DarkSide said in a message shared on several cyber crime forums and hacking websites.

“We lost access to the public part of our infrastructure, in particular to the blog, payment server, CDN servers … these servers cannot be accessed and the hosting panels have been blocked,” DarkSide said.

“A couple of hours after the seizure, funds from the payment server [belonging to DarkSide and its clients] were withdrawn to an unknown account.”

DarkSide, which made its first appearance in August, is a relatively new group behind ransomware attacks. It also ran an affiliate programme to help other hacker groups in their infiltration attempts.

The group said it issued decryption software to all its partners and affiliates to retrieve the encrypted data.

“In view of the above [account seizures] and due to the pressure from the US, the affiliate programme is closed,” DarkSide said.

“You will be given decryption tools for all the companies that have not paid yet … you will be free to communicate with them wherever you want in any way you want.”

DarkSide follows the ransomware-as-a-service model, meaning it sells or leases ransomware to others to carry out attacks.

The group also has a help desk to arrange negotiations with victims and to collect information about their targets.

Industry experts said this could be an attempt by DarkSide to avoid public attention and negative publicity.

“We have not independently validated these claims and there is some speculation by other actors that this could be an exit scam,” said Kimberly Goody, senior manager of financial crime analysis at Mandiant, a subsidiary of FireEye.

DarkSide is a typical case of criminal groups involved in “big game hunting”, said Vladimir Kuskov, head of threat exploration at Moscow-based Kaspersky.

“It looks like they did not expect such consequences and attention after the latest attack on Colonial Pipeline and now they are planning to introduce some sort of moderation to avoid such situations in the future,” he said.

DarkSide’s statement came after US President Joe Biden said the authorities would go after those responsible for the Colonial Pipeline attack.

“We have been in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks,” Mr Biden said on Thursday.

The attack established the need to improve the cyber defence capabilities of the US, he said.

Mr Biden outlined plans to spend $4 trillion on infrastructure, social welfare and education programmes.

Colonial paid about $5 million to hackers on Friday to regain control of its systems, according to Bloomberg. In earlier reports, the company had insisted that it did not plan to pay the ransom.

The largest pipeline in the US - in pictures: