May 14, 2021

The DarkSide ransomware affiliate program responsible for the six-day outage at Colonial Pipeline this week that led to fuel shortages and price spikes across the country is running for the hills. The crime gang announced it was closing up shop after its servers were seized and someone drained the cryptocurrency from an account the group uses to pay affiliates.

“Servers were seized (country not named), money of advertisers and founders was transferred to an unknown account,” reads a message from a cybercrime forum reposted to the Russian OSINT Telegram channel.

“A few hours ago, we lost access to the public part of our infrastructure,” the message continues, explaining the outage affected its victim shaming blog where stolen data is published from victims who refuse to pay a ransom.

“Hosting support, apart from information ‘at the request of law enforcement agencies,’ does not provide any other information,” the DarkSide admin says. “Also, a few hours after the withdrawal, funds from the payment server (ours and clients’) were withdrawn to an unknown address.”

DarkSide organizers also said they were releasing decryption tools for all of the companies that have been ransomed but which haven’t yet paid.

“After that, you will be free to communicate with them wherever you want in any way you want,” the instructions read.

The DarkSide message includes passages apparently penned by a leader of the REvil ransomware-as-a-service platform. This is interesting because security experts have posited that many of DarkSide’s core members are closely tied to the REvil gang.

The REvil representative said its program was introducing new restrictions on the kinds of organizations that affiliates could hold for ransom, and that henceforth it would be forbidden to attack those in the “social sector” (defined as healthcare and educational institutions) and organizations in the “gov-sector” (state) of any country. Affiliates also will be required to get approval before infecting victims.

The new restrictions came as some Russian cybercrime forums began distancing themselves from ransomware operations altogether. On Thursday, the administrator of the popular Russian forum XSS announced the community would no longer allow discussion threads about ransomware moneymaking programs.

“There’s too much publicity,” the XSS administrator explained. “Ransomware has gathered a critical mass of nonsense, bullshit, hype, and fuss around it. The word ‘ransomware’ has been put on a par with a number of unpleasant phenomena, such as geopolitical tensions, extortion, and government-backed hacks. This word has become dangerous and toxic.”

In a blog post on the DarkSide closure, cyber intelligence firm Intel 471 said it believes all of these actions can be tied directly to the reaction related to the high-profile ransomware attacks covered by the media this week.

“However, a strong caveat should be applied to these developments: it’s likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways,” Intel 471 wrote. “A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants. Additionally, the operators will have to find a new way to ‘wash’ the cryptocurrency they earn from ransoms. Intel 471 has observed that BitMix, a popular cryptocurrency mixing service used by Avaddon, DarkSide and REvil has allegedly ceased operations. Several apparent customers of the service reported they were unable to access BitMix in the last week.”


210 thoughts on “DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized

  1. Vadim A

    Don’t mess with big oil, man. This is not a hospital or a little municipality.

  2. Chris Holland

    So Sergey has pulled the inevitable exit scam, proving yet again, that there really is no honour amongst thieves.

    I sincerely hope that no companies had paid the Tsar’s ransom before Sergey headed off for his dacha in the Urals. Forking out millions and still having your network out would be a bitter pill indeed to swallow.

    1. TimH

      Interesting… so you think he decided to stop before being caught, pulled the stash himself, and put out the message that it was some law enforcement somewhere? If so, (s)he has to keep a very low profile spending the proceeds without alerting his compadres.

      1. James

        Anytime bitcoin, or any crypto, is involved, it always ends with someone taking all the money for themselves and blaming it on hackers or law enforcement.

        1. Jon Marcus

          How do you know?

          I mean, I like your scenario. But it seems both somewhat unlikely and impossible to verify.

    2. JamminJ

      I doubt there is really any significant money gone. This wasn’t the whole stash.
      This was more like a temp holding, escrow account. Just to pay affiliates.
      They might have already been paid, with nothing left.

      They may think the smartest thing to do is claim they’ve been retaliated against already.

  3. BubbaHoTep

    They are lucky this is all that has happened. There could very likely be dark operators on their way to permanently resolve the problem in a lethal way.
    Like most things, follow the money. Take away the ability for the operators to make money, the primary reason of ransomware goes away.

  4. Jerry Horton

    Cybercriminals with an ‘ethical’ code? This is what happens when you step on the tiger’s tail.

    ‘Honest’ cybercriminals are like unicorns – mythical and loved only by 13 year-olds. Intentional or not, these yahoos finally overstepped and got international geopolitics involved. The ‘host’ countries for these criminal groups have been turning a blind eye for years and it is well past time to crank up the political and law enforcement pressure on all parties who are even tangentially involved.

    My opinion may seem harsh but think about your own opinions on drug cartels, human trafficking, extortion, or other forms of ‘traditional’ crime. I would be willing to bet that you would not tolerate a meth lab in your own neighborhood. Computer crimes are still crimes. Yes, we all need to be more diligent about investing in and deploying a high degree of cybersecurity, but we also need to up the law enforcement ante to aggressively pursue criminals.

      1. Time Life Books

        Is that the guy who once shot a man just for snoring?

        1. Mo Larry, the Cheese

          I believe that was John Wesley Harding but it’s been a long time since I saw that commercial on the local UHF channel

  5. Henry Winokur

    I loved the comment in this morning’s (5/14/21) Washington Post: They said “they just wanted to MAKE money”. My comment “Uh no, they just wanted to STEAL money”.

  6. Jon

    Perhaps they saw a Reaper Drone in their rearview mirror.

    1. Phil

      That’s my guess! Reaper 1 is Oscar Mike!!!

  7. security vet

    …anyone that believes ransomware is suddenly going to stop, or even decrease, is sadly mistaken…

  8. Thomas Turner

    Of course darkside is closing up shop, taking the money and running. If it was a crack cyber team 4 stories underground in the deep bowels of Ft. Meade who ganked their money, they wouldn’t be all over saying “someone took it”!! No, everyone made out like a bandit on this operation; the cyber “talking heads” like krebs here get to enthrall us all with their expertise, cyber gets a huge budget increase and new authorities, politicians get to sprout forth their rhetoric. Colonial probably made out the best. 5 million is about 43 minutes worth of work for them, due to shutting down so quickly, even after having paid the ransom and receiving the correct decryption key, they created a shortage which added probably about another 50 cents per gallon to their already highly profitable 100 million gallon a day capacity. And they get reimbursed by their insurance and probably get to deduct it as a loss on their taxes. The only one who lost is, as usual, the consumer.

    1. Bruce Blanco

      Obviously you haven’t worked in the energy business or you would realize that running pipelines (and refineries) are expensive – maintaining the equipment, complying with both federal and state regulations (hundreds) and getting the products to the customers. Margins are typically thin (3 to 4 cents per gallon). Colonial has not only taken a hit on the revenue side but has experience bad press over this which no company wants.

      The real issue that none of the politicians want to talk about (a whole another discussion for a different forum on a different day) is that there are only seven refineries on the east coast to support a huge and growing population. In addition Colonial is the only major pipeline that transports fuel from the Texas and Louisiana refineries to the east. Why the situation – because communities and politicians have fought the construction of both.

      What this episode shows is how vulnerable our infrastructure is to cyber attacks. Hopefully this is a wakeup call to all…

      1. Sux to be aware

        If you actually believe this is a wake up call… I have a bridge over some swampland in Florida for sale cheap… Politicians are always asleep at the wheel.

      2. Thomas Turner

        Bruce, your talking points aren’t a comptia nor ic2 exam, this is real life. A pipeline company doesn’t rely on a “reputation” score (sec+ question). Who else are they going to use? Colonial owns the pipeline, it’s not like ExxonMobil is going to say “dammit Jim, I’m going to use kmi from now on” . The big problem is why isn’t critical infrastructure off of the public web.

        1. Jonathan (sitting less than 200 feet from a segment of the pipeline)

          I’ve heard a bunch of people making the “this shouldn’t be connected” argument, but we don’t know that the industrial controls are connected to the web. Their corporate systems were taken over, and are almost certainly interconnected to the private controls. They shut the private industrial control systems down before they could be compromised. None of this says that the industrial controls were directly connected to the web, just that they were somehow connected to the corporate network, which, I mean, don’t they have to be?

        2. Captain Calamity

          “The big problem is why isn’t critical infrastructure off of the public web.”

          Because dedicated lines are far more expensive and that would cut into shareholder profits.

      3. Notme

        Plus they had really bad security. The wake up call should be to sort out why they got hacked and how many other companies like this are vulnerable to the same attack. Why would their infrastructure be accessible to an attack like this? My only question.

    2. JustAnotherSecAdmin

      Time for Biden to pay up. Obviously this was a pre-planned operation from the get go. Would be surprised if US actors were involved. 30 days before the attack and colonial is looking to hire a “cyber security expert”. Ok, it’s all about the bottom line, money. Take a guess on how much money has stations in the east coast made during this little operation. Ehhhhhhemmmm

  9. ResiderInsider

    Who can have sympathy for the crybabies; but really, do you believe them. This sounds like a cheap way to make a diversion as they are feeling some pressure (mostly from friends I suspect) but this announcement its too obvious a trick.

  10. Raul

    Is there any independent confirmation that their servers and money were seized? You can’t just trust what they say. Or even that the person saying this is a real member of that mafia.

  11. Robert.Walter

    Vlad is (temporarily) retrenching.

    Also, the comment “randomware has a toxic name”, is rich. Crook complaining about the prominence of the word but not the actions described by it.

    As soon as heat recedes or new pathways are found, they will be back.

    I have no proof but also no doubt Vlad allowed these organizations to operate 1) as a demo to other countries that if push came to shove he could activate them to cause civilian chaos and 2) for a cut.

  12. ResiderInsider

    Sour grapes? or a shill? Of course, Krebs on Security will be used to shore up the misdirection.

  13. jon bondy

    I would love an article about how cyber criminals launder their crypto currency, and what can be done to make that aspect of their business more difficult for them

  14. Joe

    It’s difficult to tell what is really going on. I get the impression that the criminals are worried that they went too far, and that the blowback could be lethal to them if intelligence services track them down; even if the Russian government wants to protect this activity it might not prevent others from snatching them or worse.

    But the culprits might just be moving their money to a different wallet, planning to go quiet for a while and re-organize when the heat goes down a bit. I’m skeptical of any claims that they somehow lost their money. Possible, but just as likely that they saw their pursuers coming and they moved the money.

  15. Neverends

    Whenever I read something like this, it seems I may have stumbled into The Onion by mistake. Aren’t cibercriminals supposed to hide? Makes me wonder if anything they posted is true or if it really even came from DarkSide. Done sceered up a whole bunch o’ goobers!
    Not saying any of this is fake, just really weird.

  16. ihavegas

    The gas companies were secretly behind their own heist, to cause panic and surges of sale of their product to line their pockets. Disrupt supply, cause jump start of price hikes after covid lull. We’ve been played. How’s that for a conspiracy theory?

    1. BrianKrebs Post author

      Probably a lot of readers will dismiss this comment from ihavegas as asinine, but it is a narrative that has taken hold of certain conservative talking points. I saw a thread on this at Twitter yesterday but now I can’t find it. But basically it was about how The Biden administration orchestrated this whole thing for a bunch of reasons that don’t really make any sense.

      1. Notme

        Brietbart had something like this, but it hurt my brain to read it.

      2. Gauffroi

        Au contraire, the view that Colonial staged this to increase profitability is at least partially the spawn of the “evil corporation” theory, a favorite meme of Hollywood, which apparently sells a lot of tickets, the audience for which have probably never worked for one of these evil corporations, so the story could be believable (of course, some evil corporations are now confounding the meme by having the audacity to make virtue-signaling statements). Why are the Biden Administration conspiracy theories any less (or more) believable than the theory that Colonial did this to itself? To test the self-inflicted theory look at Colonial’s financial results for this quarter (possibly difficult since Colonial is a privately-held entity). Not sure how you test the Biden Administration theory. So we all can believe what we want to believe without any risk of ever learning the truth.

      3. Thomas Turner

        I’m more inclined to believe that the oil companies and colonial took advantage of this “opportunity”. You can’t just brush off the fact that NO operational systems were affected. It was all backend HR and financial systems. At least it appears they had it segmented. Colonial almost immediately paid the ransom and still shut operations down. That’s not a valid strategy. They claimed that it was “taking too long” to restore using the decryption and they were afraid that it could have been elsewhere on the network.
        What bullcrap. It would take less than a day to find the IOCs. Why are you injecting political crap into your blog now?

  17. Thomas Fink

    Karma. Live by the sword, die by the sword.

  18. whatever

    LOL
    withdraw to unknown account
    unknown server
    unknown hackers

    this is a joke right? people are not that stupid. This whole thing is a made up bs.

  19. KJ

    Why does this feel like they got their 5Million and they retired….? Anyone?

  20. Paul

    Comrade Vlad’s Tax came due? Accounts drained.

  21. Doby

    Open comment to Brian: Is there any independent source confirmation? Also, is there an “open method” to check if these servers are truly off line and what their activity was for the last 48 hours?

  22. James Schumaker

    It’s hard to know exactly what happened here, but the most likely answer is that the Russian intelligence services shut DarkSide down.

    If you are an international hacker based in Russia, you work at the sufferance of the intelligence agencies, usually the FSB, and there are three rules: (1) Don’t hack Russians, (2) Be on call for any operations required by Russian intelligence and (3) Don’t make trouble that could blow back on Russia.

    Clearly, DarkSide violated rule number three.

  23. PattiM

    Did this actually happen? Is what the Admin(s) say trustworthy? Independent verification?

  24. Profengs

    I believe the following: (in no particular order)
    A. A major cyber-criminal’s organization is active in Russia and the FSB is unaware of it.
    B. I believe that a harden cyber-criminal is sorry about the chaos they caused and were only after the money.
    C. They didn’t have a back door on their money stash.
    D. They were not aware of the damage fall out they could cause.
    I also like to suggest the following Word Associations
    1. Vladimir Putin/Darkside/plausible deniability
    2. Colonial Oil/Shutdown/Price Rise
    3. Investigation/Joe Biden/Bull s**t

  25. R Scott

    The ghosts should handle this. Use the NSA to find them. And send a DIA team in to fix the problem permanently. And make sure the whole world knows. The real answer to Cyberwarfare, is a shallow ending.

    1. LinuxLove

      Thats how you start a nuclear war dumbass, and wipe out the entirety of humanity. Real intelligent

  26. John Bottoms

    Headline says “servers seized”, not Stolen”. Which are we to believe happened? It sounds like a good bit of malarky.

  27. The Sunshine State

    Russian cyber-criminals now with a conscience , I’m not buying it and you shouldn’t either.

  28. TLCX3

    This could be an Oceans 11-12 or 13 remake.

Comments are closed.