Pierluigi Paganini May 14, 2021

The operators of the Darkside ransomware announced that they have lost control of their infrastructure and part of the funds the gang obtained from the victims.

Darkside ransomware operators say they have lost control of their servers and funds resulting from their extortion activity, the funds were transferred to an unknown wallet.

“The funds, which the Darkside gang was supposed to split between itself and its affiliates (the threat actors who breach networks and deploy the ransomware), were transferred to an unknown wallet, Darksupp said.” reported TheRecord.

The news was revealed by a member of REvil ransomware gang, known as ‘UNKN,’ in a forum post on the Exploit hacking forum. The post was first spotted by Recorded Future researcher Dmitry Smilyanets, it includes a message allegedly from DarkSide explaining how the gang lost access to their blog, payment servers, and DDoS servers as a result of an action conducted by law enforcement action.

“Since the first version, we have promised to speak honestly and openly about problems. A few hours ago, we lost access to the public part of our infrastructure, namely:

• Blog.
• Payment server.
• DOS servers.”

reads the post from UNKN. “Now these servers are unavailable via SSH, the hosting panels are blocked. Hosting support, apart from information “at the request of law enfocement agencies”, does not provide any other information.”

Researchers from security firm Intel471 revealed that on May 13, 2021, DarkSide operators announced they would immediately cease operations of their RaaS program. The ransomware gang also said they would issue decryptors to all their affiliates for the victims. The group also said it plans to compensate all outstanding financial obligations by May 23, 2021. 

Yesterday, President Biden said that the US government doesn’t believe that the attack on the Colonial Pipeline was carried out by a Russia-linked threat actor, he pointed out that US authorities will go after the criminal gang responsible for the attack.

“We do not believe — I emphasize, we do not believe the Russian government was involved in this attack.  But we do have strong reason to believe that criminals who did the attack are living in Russia.  That’s where it came from — were from Russia.” said Biden.    
 
“We have been in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks. We’re also going to pursue a measure to disrupt their ability to operate.  And our Justice Department has launched a new task force dedicated to prosecuting ransomware hackers to the full extent of the law.”
 
In the same hours, the leak site operated by DarkSide gang was not available and media outlets speculated it was seized by feds, but BleepingComputer noticed that the Tor payment server used by the group was still up and running.

Other experts speculate the gang opted for an exit scam keeping for them the ransom paid by the victims of its network of affiliates.

Please vote Security Affairs as Best Personal cybersecurity Blog
https://docs.google.com/forms/d/e/1FAIpQLSer_6yOZrL8OO6XjJ9yj3Mlq9LvuOakdTZN9ZmhkFCy1aQLdw/viewform

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, DarkSide)

[adrotate banner=”5″]

[adrotate banner=”13″]