The criminals associated with the DarkSide ransomware attack responsible for crippling fuel deliveries and soaring fuel prices in the US have revealed that their “servers were seized” and money transferred to an “unknown account.”
DarkSide Ransomware-as-a-Service Ceases Operations
The DarkSide ransomware attack on the Colonial Pipeline has caused massive disruption across the US. The pipeline carries refined oil products some 5,500 miles across the country, carrying around 3 million barrels of oil between Texas and New York per day and accounting for around 45 percent of the East Coast’s fuel supply.
The ransomware attack knocked the critical pipeline offline, sparking frantic scenes as citizens rushed to fill all manner of containers with fuel in anticipation of shortages, forcing gas prices as high as $ 3 per gallon, the highest seen since 2014.
Furthermore, Colonial announced that it had paid the ransomware operator a $ 5 million ransom to receive a decryption tool but still had to resort to “traditional” data recovery as the ransomware firm didn’t respond fast enough. Although that sounds like a win-win scenario for a ransomware firm, other victims may refuse to pay a ransom if they think the firm won’t provide help afterward.
Now, in a turn of events, the ransomware-as-a-service operators informed their affiliates that they had lost control of a significant portion of the ransomware network itself, including payment servers, along with funds that have been transferred to other inaccessible accounts.
The post was made on a Russian crime forum, though cybersecurity companies monitoring the case, such as FireEye’s Mandiant, have raised suspicions regarding the sudden announcements.
The post cited law enforcement pressure and pressure from the United States for this decision. @Mandiant has not independently validated these claims and there is some speculation by other actors that this could be an exit scam. (3/3)
— FireEye (@FireEye) May 14, 2021
Not only is the timing highly suspicious, but it fits with other ransomware-as-a-service operations seen previously. After a successful score, the service drops off the map for a while, resurfacing a later date with a fresh target.
However, the announcement did come with a small bonus for other victims of the same ransomware. Before shutting up shop, the ransomware operator will provide decryptors to anyone who hasn’t yet paid a ransom, fitting in with the operator’s earlier message that they’re only in it for the money, not to cause actual disruption and damage to property.
Noble as that is, the damage for many people is already done.
Ransomware as a Service Keeps Criminal Activity Agile
Ransomware remains a scourge, with victims facing the eternal battle between paying up to decrypt and recover files, all the while knowing that those funds are fuelling criminal activities.
In this case, Colonial felt that there was no choice but to pay to receive a decryptor—even if that process failed.
Many companies want ransomware payments banned, stating that payment only encourages criminals to perform more attacks. But while attacks continue and governments, businesses, and utilities suffer, the payment of ransoms must surely be made on a case by case basis.
