DarkSide — the ransomware group that distributed gasoline across the U.S. this week — has gone dark, making it clear that the group has stopped, suspended, or changed its operations or is practicing an exit scam.
On Thursday, all eight of DarkSide’s dark web sites were used to communicate with the public come down, and they are available below as of press time. Overnight, a post attributed to DarkSide said, without providing any evidence, that the group’s website and content sharing infrastructure had been seized by law enforcement, along with the cryptocurrency that had been recovered from the victim.
The dog is our money
“At the moment, these servers cannot be accessed via SSH, and the hosting panels have been blocked,” the post said, according to a translation of the Russian-language post. Friday issue by security company Intel471. “The hosting support service does not provide any information except ‘at the request of law enforcement authorities.’ Additionally, a few hours after the seizure, funds from the payment server (belonging to us and our customers) were withdrawn to an unknown account.”
The post goes on to claim that DarkSide will distribute a free decryptor to all victims who have not yet paid a ransom. So far, there are no reports of the team delivering on that promise.
If true, the seizures would represent a huge boon for law enforcement. According to new released figures from cryptocurrency tracking company Chainalysis, DarkSide has at least $60 million in its first seven months, with $46 million coming in the first three months of this year.
Identifying a Tor hidden service would also be a big score, as it would probably mean that either the team made a major configuration error in setting up the service or law enforcement knew of a major weakness in the way the dark web works. (Intel471 analysts say that some of DarkSide’s infrastructure is public-facing—meaning the regular Internet—so malware can connect to it.)
But until now, there is no evidence to publicly confirm these amazing claims. Typically, when law enforcement from the US and Western European countries seize a website, they post a notice on the site’s front page that discloses the seizure. Below is an example of what people see after trying to visit the site for the Netwalker group after the site has been taken down:
Therefore, none of the DarkSide sites show such notice. Instead, most of them time out or show blank screens.
What is even more doubtful is the claim that the group’s considerable cryptocurrency holdings have been borrowed. People who are experienced in using digital currency know not to keep it in “hot wallets,” which are digital wallets connected to the Internet. Because hot wallets contain the private keys needed to transfer funds to new accounts, they are vulnerable to hacks and the types of theft mentioned in the post.
For law enforcement to collect the digital currency, DarkSide operators would have had to store it in a hot wallet, and the currency exchange that DarkSide uses would have had to cooperate with the law enforcement agency or be hacked.
I highly doubt that the ransomware group is keeping its profits in a hot wallet on a cryptocurrency exchange that will cooperate with law enforcement. They go to shady exchanges only when they need to wash the money. Even then, the prohibition would be more believable than the transfer.
— Vess (@VessOnSecurity) May 14, 2021
It’s also possible that close tracking by an organization like Chainalysis identified wallets that received money from DarkSide, and that law enforcement subsequently seized the assets. Indeed, Elliptic, a separate blockchain analytics company, reported its discovery Bitcoin wallet used by DarkSide to receive payment from its victims. On Thursday, Elliptic reported, it was empty of $5 million.
At this time, we don’t know if that move was initiated by the FBI or another law enforcement agency, or by DarkSide itself. In one way, Elliptic says that the wallet – which since the beginning of March has received 57 payments from 21 different wallets – provides important clues for investigators to follow.
“What we found was that 18% of Bitcoin was sent to a small group of exchanges,” wrote Elliptic Co-Founder and Chief Scientist Tom Robinson. “This information will provide law enforcement with important leads to identify the perpetrators of these attacks.”
Nonsense, noise, and noise
DarkSide’s post comes as a well-known XSS criminal forum is announcing that it has blocked all ransomware activities, especially eye-catching since the past. The site is already an important source for ransomware groups Revil, Babuk, DarkSide, LockBit, and Nefilim to recruit affiliates, who use malware to infect victims and in exchange share a cut of the revenue. A few hours later, all of DarkSide’s posts that were subjected to XSS were taken down.
In a Friday morning postSecurity company Flashpoint wrote:
As an XSS manager, the decision is partly based on theoretical differences between the organization and the ransomware operators. Furthermore, the media’s attention from high-profile events has resulted in “a lot of nonsense, noise, and noise.” The XSS statement offers some reasons for its decision, mainly that ransomware packages and subsequent attacks are generating “a lot of PR” and increasing geopolitical and law enforcement risks to a “danger(ous) level.”
The XSS leader also said that when “Peskov (Press Secretary for Russian President Vladimir Putin) is forced to apologize in front of our ‘friends’ overseas — this is too much.” They hyperlinked an article on the Russian News website Kommersant entitled “Russia had nothing to do with the hacking attacks on the oil pipeline in the United States” as the basis for these claims.
Within hours, two other underground forums—Exploit and Raid Forums—also banned ransomware-related posts, according to images circulated on Twitter.
REvil, meanwhile, said it banned the use of its software against health care, education, and government organizations, The Record reported.
Ransomware is at a crossroads
Transfers by XSS and REvil cause significant short-term disruption of the ransomware ecosystem since they remove a key recruitment tool and source of revenue. The long-term effects are not reduced.
“In the long term, it is hard to believe that the ransomware ecosystem will disappear completely, because the operators are financially motivated and the plans that work have been effective,” Intel471 analysts said in an email. They say it’s more likely that ransomware groups will “go private,” meaning they will no longer publicly recruit affiliates on public forums or will dissolve their current operations and re-invent under a new name. a new
Ransomware groups can also change their current practice of data encryption so it cannot be used by the victim while downloading the data and threatening to make it public. This twofold approach aims to increase pressure on victims to pay. The Babuk ransomware group recently began removing its malware that hides data while maintaining its blog that names and shames victims and publishes their data.
“This approach allows ransomware operators to take advantage of the blackmail phenomenon without having to deal with the public risk of disrupting the business continuity of a hospital or critical infrastructure,” Intel471 analysts wrote in an email.
Right now, the only bit of evidence that DarkSide’s infrastructure and cryptocurrency have been taken are the words that the criminals took, hardly enough to consider confirmation.
“I could be wrong, but I suspect this is just an exit scam,” Brett Callow, a threat analyst with security firm Emsisoft, told Ars. “DarkSide gets to go West—or, possibly rebuild—without needing to share the ill-gotten gains with their partners in crime.”