DarkSide Ransomware Shutdown: An Exit Scam or Running for Hills?

The criminal gang behind the disruptive Colonial Pipeline ransomware hack says it is shutting down operations, but threat hunters believe the group will reemerge with a new name and new ransomware variants.

The DarkSide cybercrime gang claims it is shuttering operations amidst massive blowback from U.S. government and global law enforcement officials.

According to multiple threat hunters tracking darkweb communications, the DarkSide ransomware-as-a-service infrastructure has gone offline along with a naming-and-shaming website used by the criminal gang to pressure victims during extortion negotiations.

Intel471, a security vendor that tracks malicious activity on the darkweb, says it validated an “announcement” that DarkSide would “immediately cease operations” and issue data decryptors to all victims. In the statement, posted in Russian, the group claims that part of its infrastructure was disrupted by an unspecified law enforcement agency. 

“The group’s name-and-shame blog, ransom collection website, and breach data content delivery network (CDN) were all allegedly seized, while funds from their cryptocurrency wallets allegedly were exfiltrated,” Intel471 reported.

Security vendor FireEye says its researchers have also seen the DarkSide announcement, which claims the criminals “lost access to their infrastructure, including their blog, payment, and CDN servers and would be closing their service.” 

However, FireEye says it has not independently validated the claims and warns that this could be part of “an exit scam.”

In the past, in response to law enforcement activity, cybercriminal gangs have shut down operations, only to restart with a different name and new online infrastructure.

Another potential complication with a DarkSide shutdown is the status of live, ongoing negotiations on ransomware payments and data decryption tools.  “There are a lot of infected companies communicating with these [Darkside affiliates].  If they go dark, it could really complicate recovery efforts all over the world,” according to a source tracking the ransomware epidemic.

Intel471 says it also observed competing ransomware-as-a-service gangs going dark but, like FireEye, warns that ransomware extortion attacks won’t be ending anytime soon.

“It’s likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways. A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants,” the company said.

Intel471 believes the operators will find new ways to “wash” the cryptocurrency they earn from ransom payments.  

News of the supposed shutdown comes just after reports that Colonial Pipeline paid a $5 million ransom to the DarkSide cybergang.

Threat intelligence company Flashpoint believes — with moderate confidence based on code analysis — that the ransomware used in the Colonial Pipeline attack is a variant of the notorious REvil ransomware.

Separately, a Chainalysis study of ransomware transactions found that 15 percent of all extortion payments carried a risk of U.S. sanctions violations.