The criminal cyber cartel accused of the ransomware attack on a U.S. pipeline that caused gasoline shortages for motorists this week has said it is shutting down, according to cybersecurity researchers.
The news comes after the Colonial Pipeline Company paid hackers a ransom worth nearly $ 5 million as it worked to restart its 5,500-mile network, people familiar with the matter said.
DarkSide, the suspected Russia-based group that the FBI said was responsible for the attack, told its affiliates it was shutting down its services, said FireEye, a cybersecurity group appointed to investigate the incident.
So far, DarkSide has maintained the ransomware, but also leased it to others through an affiliate program, taking a share of the proceeds from attacks that take control of an organization’s data or software systems and block owners using encryption until payments are made.
In an article on the Dark Web, found by researchers at Recorded Future and seen by the Financial Times, he also said he had lost control of much of his public infrastructure – including his Dark Web blog and the server he uses to accept ransom payments – and that his crypto funds had been seized.
“The post cited pressure from law enforcement and pressure from the United States for this decision,” said Kimberly Goody, senior director of financial crime analysis at Mandiant Threat Intelligence branch. by FireEye.
It is not known whether the disruption of the group’s infrastructure was led by authorities, and also whether DarkSide was going offline in order to resume operations at a later stage under another pretext, known as the “scam.” exit”.
US President Joe Biden mentionned he has “good reason” to believe that the DarkSide hackers were based in Russia, but that he did not believe that Moscow was directly responsible.
“We have been in direct communication with Moscow on the imperative for the countries responsible to take decisive action against these ransomware networks,” he said Thursday.
In one blog post On Friday, blockchain analyst group Elliptic discovered that Colonial had paid 75 bitcoins – or nearly $ 5 million – to a crypto wallet used by DarkSide on May 8.
The wallet had received a total of $ 17.5 million in bitcoin since it went into effect in early March, much of which was laundered through small cryptocurrency exchanges or sent to Hydra, an illegal dark web marketplace. which generally serves Russia and neighboring countries.
Elliptic also confirmed that the $ 5 million ransom payment was emptied from DarkSide’s crypto wallet on Friday, although it did not indicate where that had moved.
Colonial started the process to bring the pipeline back online Wednesday – a central artery for the delivery of fuel to the eastern United States. On Thursday, it announced that it had restarted the entire system and started delivering products to all of its markets. He did not respond to a request for comment on the ransom payment.
Newsletter twice a week
Energy is the world’s essential business and Energy Source is its newsletter. Every Tuesday and Thursday, straight to your inbox, Energy Source brings you essential news, cutting-edge analysis and insider information. register here.
The crisis has reignited debate over whether there should be a blanket ban on victims paying ransoms. White House press secretary Jen Psaki said on Thursday that the federal government continued to argue that paying ransoms only encouraged such blackmail activity and urged companies to strengthen their defenses. The FBI advises against payments.
Ransomware gangs earned at least $ 18 billion in ransoms in 2020, according to cybersecurity group Emsisoft, as hackers took advantage of employees’ shift to remote work and the resulting cyber vulnerabilities. The average payout is around $ 150,000, according to data from Emsisoft.
Authorities face increasing public pressure to hunt and prosecute attackers. Last Saturday, a group of tech companies, along with US agencies such as the FBI, disrupted DarkSide by shutting down the US-based servers they used to store data before sending it to Russia, according to two people. close to the situation. . Colonial’s withdrawal and ransom payment was first reported by Bloomberg.
James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, said there was a discussion about whether to go one step further and hack criminal ransomware gangs, known as “hacking.” return”.
“People are talking about hackback – it’s back on the radar and it’s probably due to the colonial incident.”