Jump to content

Darkside ransomware gang says it lost control of its servers & money a day after Biden threat


Recommended Posts

Darkside ransomware gang says it lost control of its servers & money a day after Biden threat



A day after US President Joe Biden said the US plans to disrupt the hackers behind the Colonial Pipeline cyberattack, the operator of the Darkside ransomware said the group lost control of its web servers and some of the funds it made from ransom payments.

“A few hours ago, we lost access to the public part of our infrastructure, namely: Blog. Payment server. DOS servers,” said Darksupp, the operator of the Darkside ransomware, in a post spotted by Recorded Future threat intelligence analyst Dmitry Smilyanets.

“Now these servers are unavailable via SSH, and the hosting panels are blocked,” said the Darkside operator while also complaining that the web hosting provider refused to cooperate.


In addition, the Darkside operator also reported that cryptocurrency funds were also withdrawn from the gang’s payment server, which was hosting ransom payments made by victims.


The funds, which the Darkside gang was supposed to split between itself and its affiliates (the threat actors who breach networks and deploy the ransomware), were transferred to an unknown wallet, Darksupp said.


This sudden development comes after US authorities announced their intention to go after the gang.


In two conferences this week, on Monday and Thursday, US President Biden himself came out and said the US would go after the group after one of its attacks crippled a major fuel transport pipeline that impacted half of the US East Coast, leading the US to declare a state of national emergency in order to ensure gasoline was delivered to impacted regions.


“We have been in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks,” President Biden said in a press conference on Thursday.


“We are also going to pursue a measure to disrupt their ability to operate,” he added [see video below].


Pres. Biden on Colonial Pipeline hack: "We do not believe the Russian government was involved in this attack—but we do have strong reason to believe that the criminals who did the attack are living in Russia." https://t.co/CAHmsNFmcf pic.twitter.com/ex8AfuwIPX


— ABC News (@ABC) May 13, 2021

Or exit scam?

But Smilyanets warns that the group’s announcement could also be a ruse, as no announcement has yet been made by US officials.


The group could be taking advantage of President Biden’s statements as cover to shut down its infrastructure and run away with its affiliate’s money without paying their cuts—a tactic known as an “exit scam” on the cybercriminal underground.


According to #REvil #ransomware operator Unknown (possible false flag), #DarkSide – No More. Servers are seized. Money is gone 💸

— 𝕯𝖒𝖎𝖙𝖗𝖞 𝕾𝖒𝖎𝖑𝖞𝖆𝖓𝖊𝖙𝖘 (@ddd1ms) May 14, 2021


Reached out for comment, a spokesperson for the Justice Department said the department does not comment on active investigations and could not confirm a coordinated action from any US entity.

REvil gang announces changes too

But it’s been a busy past 24 hours for ransomware gangs.


The news that Darkside lost control of its servers and that a major cybercrime forum was banning ransomware ads, all happening within a span of hours of each other, also had an effect on REvil, arguably considered today’s biggest ransomware operation.


In a post quoting Darkside’s (now-deleted) statement, REvil spokesperson Unknown made an announcement of their own and said they also plan to stop advertising their Ransomware-as-a-Service platform and “go private”—a term used by cybercrime gangs to describe their intention to work with a small group of known and trusted collaborators only.


In addition, the REvil group also said that it plans to stop attacking sensitive social sectors like healthcare, educational institutes, and the government networks of any country, which it believes could draw unwanted attention to its operation, such as the attention Darkside is getting right now.


In the case of any of such attacks carried out by any of its collaborators, REvil said they plan to provide a free decryption key to victims and stop working with the misbehaving affiliate.



Image: Recorded Future


Source: Darkside ransomware gang says it lost control of its servers & money a day after Biden threat

  • Like 2
Link to comment
Share on other sites

good NEWS.. GUESS  the ransomware gang dont like it when their on the receiving end. also glad they lost from of the money from payments made to them.. pity it wasnt 100% of all the money the RIPPED people off. I'm also happy the Webhosting company ISNT helping the ransomware GANG either,.. what a pity the webhosting company didnt give the government all their email address's of the gang.. so they could look them up.. and then ARREST THEM.

Link to comment
Share on other sites

The DarkSide ransomware affiliate program responsible for the six-day outage at Colonial Pipeline this week that led to fuel shortages and price spikes across the country is running for the hills. The crime gang announced it was closing up shop after its servers were seized and someone drained the cryptocurrency from an account the group uses to pay affiliates.


“Servers were seized (country not named), money of advertisers and founders was transferred to an unknown account,” reads a message from a cybercrime forum reposted to the Russian OSINT Telegram channel.




“A few hours ago, we lost access to the public part of our infrastructure,” the message continues, explaining the outage affected its victim shaming blog where stolen data is published from victims who refuse to pay a ransom. The outage also took down its payment server and those that supply its distributed denial-of-service feature, which is used to turn up the heat on victims who balk at paying.


“Also, a few hours after the withdrawal, funds from the payment server (ours and clients’) were withdrawn to an unknown address,” the DarkSide admin says.


DarkSide organizers also said they were releasing decryption tools for all of the companies that have been ransomed but which haven’t yet paid.


“After that, you will be free to communicate with them wherever you want in any way you want,” the instructions read.


The DarkSide message includes passages apparently penned by a leader of the REvil ransomware-as-a-service platform.


This is interesting because security experts have posited that many of DarkSide’s core members are closely tied to the REvil gang.


The REvil representative said its program was introducing new restrictions on the kinds of organizations that affiliates could hold for ransom, and that henceforth it would be forbidden to attack those in the “social sector” (defined as healthcare and educational institutions) and organizations in the “gov-sector” (state) of any country. Affiliates also will be required to get approval before infecting victims.


The new restrictions came as some Russian cybercrime forums began distancing themselves from ransomware operations altogether. On Thursday, the administrator of the popular Russian forum XSS announced the forum would no longer allow discussion threads about ransomware moneymaking programs.


“There’s too much publicity,” the XSS administrator explained. “Ransomware has gathered a critical mass of nonsense, bullshit, hype, and fuss around it. The word ‘ransomware’ has been put on a par with a number of unpleasant phenomena, such as geopolitical tensions, extortion, and government-backed hacks. This word has become dangerous and toxic.”


In a blog post on the DarkSide closure, cyber intelligence firm Intel 471 said it believes all of these actions can be tied directly to the reaction related to the high-profile ransomware attacks covered by the media this week.


“However, a strong caveat should be applied to these developments: it’s likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways,” Intel 471 wrote. “A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants. Additionally, the operators will have to find a new way to ‘wash’ the cryptocurrency they earn from ransoms. Intel 471 has observed that BitMix, a popular cryptocurrency mixing service used by Avaddon, DarkSide and REvil has allegedly ceased operations. Several apparent customers of the service reported they were unable to access BitMix in the last week.”



Edited by aum
Link to comment
Share on other sites



all it took was a pipeline closure................early days yet, the story is developing, more facts and B.S still to come

The take down of any Criminal Gang, such as these dead beats, is to be applauded

Hats off to who was involved..


  • Like 3
Link to comment
Share on other sites

Similar topics merged.

  • Like 2
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...