A day after US President Joe Biden said the US plans to disrupt the hackers behind the Colonial Pipeline cyberattack, the operator of the Darkside ransomware said the group lost control of its web servers and some of the funds it made from ransom payments.
“A few hours ago, we lost access to the public part of our infrastructure, namely: Blog. Payment server. CDN servers,” said Darksupp, the operator of the Darkside ransomware, in a post spotted by Recorded Future threat intelligence analyst Dmitry Smilyanets.
“Now these servers are unavailable via SSH, and the hosting panels are blocked,” said the Darkside operator while also complaining that the web hosting provider refused to cooperate.
In addition, the Darkside operator also reported that cryptocurrency funds were also withdrawn from the gang’s payment server, which was hosting ransom payments made by victims.
The funds, which the Darkside gang was supposed to split between itself and its affiliates (the threat actors who breach networks and deploy the ransomware), were transferred to an unknown wallet, Darksupp said.
This sudden development comes after US authorities announced their intention to go after the gang.
In two conferences this week, on Monday and Thursday, US President Biden himself came out and said the US would go after the group after one of its attacks crippled a major fuel transport pipeline that impacted half of the US East Coast, leading the US to declare a state of national emergency in order to ensure gasoline was delivered to impacted regions.
“We have been in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks,” President Biden said in a press conference on Thursday.
“We are also going to pursue a measure to disrupt their ability to operate,” he added.
President Biden’s statement also came after Bill Evanina, former Director of the US National Counterintelligence and Security Center (NCSC), also said last week that the US intelligence community was very likely respond to respond to the brazen Colonial attack in a disruptive manner.
The news that Darkside lost control of its servers and that a major cybercrime forum was banning ransomware ads, all happening within a span of hours of each other, also had an effect on REvil, arguably considered today’s biggest ransomware operation.
In a post quoting Darkside’s (now-deleted) statement, REvil spokesperson Unknown made an announcement of their own and said they also plan to stop advertising their Ransomware-as-a-Service platform and “go private”—a term used by cybercrime gangs to describe their intention to work with a small group of known and trusted collaborators only.
Additionally, the REvil group also said that it plans to stop attacking sensitive social sectors like healthcare, educational institutes, and the government networks of any country, which it believes could draw unwanted attention to its operation, such as the attention Darkside is getting right now.
In the case of any of such attacks carried out by any of its collaborators, REvil said they plan to provide a free decryption key to victims and stop working with the misbehaving affiliate.
Furthermore, hours after REvil’s announcement, the operators of the Avaddon ransomware also announced similar updates to their program, with the same clause barring ransomware groups from attacking government entities, healthcare orgs, and educational institutes.
While we may never know who or what is driving these changes among ransomware gangs, it is pretty clear that the Colonial Pipeline attack and its aftermath appears to have broken the camel’s back, and US authorities have started applying some sort of pressure on these groups.