DarkSide, Blamed for Gas Pipeline Attack, Says It Is Shutting Down

The criminal hacking group DarkSide, which the F.B.I. has blamed for carrying out a ransomware attack that crippled fuel delivery across the Southeastern United States this week, has announced that it is shutting down because of unspecified “pressure” from the United States.

In a statement written in Russian and provided to The New York Times on Friday by the cybersecurity firm Intel 471, DarkSide said it had lost access to the public-facing portion of its online system, including its blog and payment server, as well as funds that it said had been withdrawn to an unknown account. It said the group’s main web page and other public-facing resources would go offline within 48 hours.

“Due to the pressure from the U.S., the affiliate program is closed,” the statement said, referring to intermediary hackers, the so-called affiliates, it works with to break into corporate computer systems. “Stay safe and good luck.”

What that pressure may have been is unclear, but on Thursday, President Biden said the United States would not rule out a retaliatory strike against DarkSide that would “disrupt their ability to operate.” The White House spokeswoman, Jen Psaki, said the administration was waiting for recommendations from U.S. Cyber Command, but government officials on Friday declined to comment further about whether any action had been taken.

Cybersecurity analysts cautioned that the DarkSide statement could be a ruse, allowing its members to regroup and deflect the negative attention caused by the attack. The group’s announcement was reported earlier by The Wall Street Journal.

The crisis began when Colonial Pipeline, the operator of one of the nation’s largest fuel pipelines, announced on May 7 that it had been hit with a ransomware attack, in which criminal groups lock up computer systems and hold data hostage until the victim pays a ransom. In response, the company protectively shut down its pipeline, which delivers nearly half of the jet fuel and gasoline used on the Atlantic Coast, disrupting air travel and causing drivers to descend on gas stations in a surge of panic buying.

To free up its computer systems, Colonial Pipeline paid the extortionists about 75 Bitcoin, or nearly $5 million, according to people briefed on the transaction. The decision allowed the company to get gas flowing again, but may have complicated the Biden administration’s efforts to stave off new attacks.

In a statement on Friday, a Colonial spokeswoman said, “There is an ongoing investigation, and we’re not commenting on the ransom.”

Elliptic, a computer security company specializing in cryptocurrency, said on Friday that it had identified the Bitcoin wallet used by DarkSide to collect the Colonial Pipeline ransom payment. In a statement, Elliptic said Colonial Pipeline sent the ransom payment to DarkSide last Saturday.

Since the DarkSide account was opened in March, Elliptic said, it had received $17.5 million from 21 Bitcoin wallets, indicating the number of ransoms it had collected just this spring. Cybersecurity analysts assess that the group has been active since at least August, and has most likely used a number of different Bitcoin wallets to receive ransoms.

The intense scrutiny that followed the Colonial Pipeline attack has clearly unsettled ransomware groups. This week, the operators behind two major Russian-language ransomware platforms, REvil and Avaddon, announced strict new rules governing the use of their products, including bans on targeting government-affiliated entities, hospitals or educational institutions.

The administrator of XSS, a popular Russian-language cybercrime forum, announced an immediate ban on all ransomware activity on the forum, citing, among other things, the bad press associated with the industry. In a statement posted in the forum, the administrator called the attention a “critical mass of harm, nonsense, hype and noise,” saying even the spokesman for President Vladimir V. Putin of Russia had weighed in on the Colonial Pipe attack. (The spokesman, Dmitri S. Peskov, denied that the Kremlin had been involved in the attack on the pipeline.)

“The word ransom has become associated with a whole series of unpleasant things — geopolitics, blackmail, government cyberattacks,” the XSS administrator wrote. “This word has become dangerous and toxic.”

Even if DarkSide has shut down, the threat from ransomware has not passed. Cybercriminal networks often disband, regroup and rebrand themselves in an effort to throw off law enforcement, cybersecurity experts say.

“It’s likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways,” said Mark Arena, Intel 471’s chief executive. “A number of the operators will most likely continue to operate in their own close-knit groups, resurfacing under different aliases and ransomware names.”

Indeed, DarkSide gave no indication that its members were getting out of the ransomware business or even letting victims currently infected with the group’s malware off the hook. In its statement, DarkSide said it would hand over its decryption tools to affiliates, giving these intermediaries, who were responsible for infecting computer systems with the group’s malicious software, the ability to negotiate ransoms with victims directly.

“You will be given decryption tools for all the companies that haven’t paid yet,” the statement read. “After that, you will be free to communicate with them wherever you want in any way you want.”

Julian Barnes contributed reporting.

Source: Read Full Article