Darkside – the ransomware group that disrupted the distribution of gasoline across a wide part of the United States this week – has gone dark, leaving it unclear whether the group will cease, suspend or change its activities or simply orchestrate an exit scam.
On Thursday, all eight of the dark sites that Darkside communicated with the public went down, and they remain down from the time of publication. During the night, a post attributed to Darkside claimed without providing evidence that the group̵
The dog ate our money
“Currently, these servers are not accessible via SSH and the hosting panels have been blocked,” the post said, according to a translation of the Russian-language post published Friday by security firm Intel471. “The Hosting Support Service does not provide any information except ‘at the request of law enforcement.’ In addition, a few hours after the seizure, money was withdrawn from the payment server (belonging to us and our customers) to an unknown account. ”
The position went on to claim that Darkside would distribute a decryptor free of charge to all victims who have not yet paid a ransom. So far, there are no reports that the group is living up to this promise.
If true, the seizures would constitute a major coup for law enforcement. According to recently released figures from tracking cryptocurrency Chainalysis, Darkside netted at least $ 60 million in the first seven months, of which $ 46 million came in the first three months of this year.
Identifying a Tor-hidden service would also be a huge score, as it would likely mean that either the group made a major configuration error when setting up the service, or that law enforcement knows a serious vulnerability in the way the dark web works. (Intel471 analysts say some of Darkside’s infrastructure has been publicly targeted – meaning the Internet – so malware can connect to it.)
But so far there is no evidence to publicly confirm these extraordinary allegations. When law enforcement from the United States and Western European countries seize a site, they typically post a message on the front page of the site revealing the seizure. Below is an example of what people saw after trying to visit the Netwalker group site after the page was taken down:
So far, none of the Darkside pages show such a message. Instead, most of them time out or display blank screens.
What is even more questionable is the claim that the Group’s significant cryptocurrency holdings have been taken. People who have experience using digital currency do not store it in “hot wallets”, which are digital vaults connected to the Internet. Because hot wallets contain the private keys needed to transfer money to new accounts, they are vulnerable to hacks and the types of seizures required in the mail.
In order for law enforcement to confiscate the digital currency, Darkside operators would probably have had to keep it in a hot wallet, and the currency exchange used by Darkside would have had to cooperate with the law enforcement agency or be hacked.
I highly doubt that a ransomware group keeps the profits in a hot wallet on a cryptocurrency exchange that would cooperate with law enforcement. They only go to shady exchanges when they need to launder the money. Even then, blocking would be more credible than transfer.
– Vess (@VessOnSecurity) May 14, 2021
It is also possible that close tracking of an organization like Chainalysis identified wallets that received funding from Darkside and law enforcement then confiscated the holdings. However, such analyzes take time.
Nonsense, hype and noise.
Darkside’s post came when a prominent criminal underground forum called XSS announced that it banned all ransomware activities, a big face from the past. The site was previously an important resource for ransomware groups REvil, Babuk, Darkside, LockBit and Nefilim to recruit affiliates who use malware to infect victims and in turn share a cut in the revenue generated. A few hours later, all the Darkside posts for XSS had come down.
In a Friday morning post, security firm Flashpoint wrote:
According to the administrator of XSS, the decision is based in part on ideological differences between the forum and ransomware operators. Moreover, the media attention from high-profile incidents has resulted in a “critical mass of nonsense, hype and noise.” The XSS statement provides some reasons for its decision, in particular that ransomware collectives and their accompanying attacks generate “too much PR” and increase the geopolitical and law enforcement risks of a “danger[ous] level.”
The administrator of XSS also claimed that when “Peskov [the Press Secretary for the President of Russia, Vladimir Putin] is forced to make excuses in front of our overseas ‘friends’ – that’s a little too much. “They hyperlinked an article on the Russian news site Kommersant entitled” Russia has nothing to do with hacking attacks on a US pipeline “as the basis for these allegations.
Within hours, two other underground forums – Exploit and Raid Forums – had also banned ransomware-related posts, according to images circulating on Twitter.
REvil, meanwhile, said it banned the use of its software against health care, education and government organizations, The Record reported.
Ransomware at a crossroads
The moves from XSS and REvil constitute a major short-term disruption of the ransomware ecosystem as they remove a key recruitment tool and source of revenue. Long-term effects are less clear.
“In the long run, it’s hard to believe that the ransomware ecosystem will fade completely as operators are financially motivated and the schemes used have been effective,” Intel471 analysts said in an email. They said ransomware groups were more likely to “become private”, meaning they will no longer publicly recruit affiliates on public forums or want to relax their current operations and be renamed.
Ransomware groups can also change their current practice of encrypting data so that they are useless by the victim, while also downloading the data and threatening to publish it. This double-extortion method aims to increase the pressure on victims to pay. The Babuk ransomware group recently began phasing out the use of malware that encrypts data while maintaining its blog that names and shames victims and publishes their data.
“This approach allows ransomware operators to reap the benefits of a non-extortion event without having to tackle public waste to disrupt business continuity in a hospital or critical infrastructure,” Intel471 analysts wrote in the email.
So far, the only evidence that Darkside’s infrastructure and cryptocurrency have been seized, words from admitted criminals, is hardly enough to consider confirmation.
“I could be wrong, but I suspect this is simply an exit scam,” Brett Callow, a threat analyst with security firm Emsisoft, told Ars. “Darkside is going to sail out into the sunset – or, more likely, brand – without having to share the ill-gotten gains with their partners in crime.”