Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



DarkSide Ransomware Shutdown: An Exit Scam or Running for Hills?

The criminal gang behind the disruptive Colonial Pipeline ransomware hack says it is shutting down operations, but threat hunters believe the group will reemerge with a new name and new ransomware variants.

The criminal gang behind the disruptive Colonial Pipeline ransomware hack says it is shutting down operations, but threat hunters believe the group will reemerge with a new name and new ransomware variants.

The DarkSide cybercrime gang claims it is shuttering operations amidst massive blowback from U.S. government and global law enforcement officials.

According to multiple threat hunters tracking darkweb communications, the DarkSide ransomware-as-a-service infrastructure has gone offline along with a naming-and-shaming website used by the criminal gang to pressure victims during extortion negotiations.

Intel471, a security vendor that tracks malicious activity on the darkweb, says it validated an “announcement” that DarkSide would “immediately cease operations” and issue data decryptors to all victims. In the statement, posted in Russian, the group claims that part of its infrastructure was disrupted by an unspecified law enforcement agency. 

“The group’s name-and-shame blog, ransom collection website, and breach data content delivery network (CDN) were all allegedly seized, while funds from their cryptocurrency wallets allegedly were exfiltrated,” Intel471 reported.

Security vendor FireEye says its researchers have also seen the DarkSide announcement, which claims the criminals “lost access to their infrastructure, including their blog, payment, and CDN servers and would be closing their service.” 

However, FireEye says it has not independently validated the claims and warns that this could be part of “an exit scam.”

Advertisement. Scroll to continue reading.

In the past, in response to law enforcement activity, cybercriminal gangs have shut down operations, only to restart with a different name and new online infrastructure.

Another potential complication with a DarkSide shutdown is the status of live, ongoing negotiations on ransomware payments and data decryption tools.  “There are a lot of infected companies communicating with these [Darkside affiliates].  If they go dark, it could really complicate recovery efforts all over the world,” according to a source tracking the ransomware epidemic.

Intel471 says it also observed competing ransomware-as-a-service gangs going dark but, like FireEye, warns that ransomware extortion attacks won’t be ending anytime soon.

“It’s likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways. A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants,” the company said.

Intel471 believes the operators will find new ways to “wash” the cryptocurrency they earn from ransom payments.  

News of the supposed shutdown comes just after reports that Colonial Pipeline paid a $5 million ransom to the DarkSide cybergang.

Threat intelligence company Flashpoint believes — with moderate confidence based on code analysis — that the ransomware used in the Colonial Pipeline attack is a variant of the notorious REvil ransomware.

Separately, a Chainalysis study of ransomware transactions found that 15 percent of all extortion payments carried a risk of U.S. sanctions violations. 

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...