Columbia Pipeline hackers get $5 Million Ransom then go Dark 

116
SHARE

DarkSide, the Columbia Pipeline hackers, initially posted an apology for the problems their attack had caused. And by Thursday they were sending another message to the partners in their ransomware gang. They claim they will immediately close their operations. Because the U.S. government is trying to retaliate against them. 

According to the security firm Intel471, DarkSide post says “In view of the above and due to the pressure from the US, the affiliate program is closed. Stay safe and good luck.”

Big Response to the ransomware attack

The DarkSide ransomware attack took down the Colonial Pipeline. As a direct result of the hacking, the pipeline firm had to shut down all systems. Within days debilitating fuel shortages hit the East Coast. And the White House, the FBI, and the Ransomware Task Force were meeting.

Signup for the USA Herald exclusive Newsletter

The FBI had just confirmed on Monday that DarkSide was responsible for the ransomware attack on Colonial Pipeline. And by Friday some of the biggest ransomware gangs were running for cover. Things were moving fast.

The Ransomware-as-a-Service (RaaS) business may never be the same. Many ransomware operators and the darknet cybercrime forums where they interact are claiming their infrastructure has been taken offline and their business is being blocked.

For the last few months ransomware gangs have been trying to take the heat off of their lucrative business enterprises. Some claimed that they would no longer attack hospitals. But many fear the response to the Colonial Pipeline attack may put them out of business.

The Babuk gang who hit the D.C. police authority claims it will hand over the ransomware’s source code to “another team,” which will develop it as a new brand. And they pledge to stay in business, running a name-and-shame blog. They also leaked the 250GB of data they stole from the police.

It seems that Babuk didn’t receive a ransom payment. And some security experts claimed the gangs’ source code was flawed anyway.

DarkSide posts

The DarkSide posts were in Russian. This is the English translation. Note that the second post disappeared within a few hours. But not before they were copied by law enforcement.

  • The Apology

DarkSide has indicated that it was caught by surprise by how disruptive its attack on Colonial Pipeline has been. They claim to be sorry for the unintended consequences of the ransomware attack.

“ We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined [government] and look for other our motives,” the statement said. “Our goal is to make money, and not creating problems for society.”

  • The Goodbye Post 

“Starting from version one, we promised to speak about problems honestly and openly. A couple of hours ago, we lost access to the public part of our infrastructure, in particular to the

blog

payment server

CDN servers

At the moment, these servers cannot be accessed via SSH, and the hosting panels have been blocked.

The hosting support service doesn’t provide any information except “at the request of law enforcement authorities.” In addition, a couple of hours after the seizure, funds from the payment server (belonging to us and our clients) were withdrawn to an unknown account.

The following actions will be taken to solve the current issue: You will be given decryption tools for all the companies that haven’t paid yet.

After that, you will be free to communicate with them wherever you want in any way you want. Contact the support service. We will withdraw the deposit to resolve the issues with all the affected users.

The approximate date of compensation is May 23 (due to the fact that the deposit is to be put on hold for 10 days on XSS).

In view of the above and due to the pressure from the US, the affiliate program is closed. Stay safe and good luck.

The landing page, servers, and other resources will be taken down within 48 hours.”

Columbia Pipeline Hackers going dark 

Some security experts warn the group may taking the ransom and running. But they may not be gone forever. DarkSide may be going dark until the heat from the high-profile attack dies down.

The Colonial Pipeline is resuming operations but there is still a gasoline shortage throughout the Mid-Atlantic and Southeastern United States. And the U.S. claims to be treating the Colonial Pipeline ransomware attack as an act of war.

DarkSide’s website still includes a display page that shows data from their victims that haven’t paid a ransom. It also had a way for the media and hacking victims to register online. 

But it seems that DarkSide’s days as a large “ransomware-as-a-service” company operating a platform for other hackers, or their “affiliates” are over. The Columbia Pipeline hackers are running, but the U.S. may be in hot pursuit.