The criminal group linked to a cyberattack that disrupted gasoline delivery across parts of the southeastern U.S. this week has told hacking associates that it is shutting down, according to security research firms.
A website operated by ransomware group DarkSide, which U.S. officials have said is believed to originate in Eastern Europe, has been down since Thursday, according to security firms
The group told affiliates its work was disrupted by a law-enforcement agency, according to an announcement from DarkSide to affiliates obtained by Intel 471. DarkSide didn’t respond to requests for comment earlier in the week.
It is not uncommon for ransomware groups such as DarkSide to disband, only to pop up later under a different name. It couldn’t be determined if the U.S. had any role in DarkSide’s claimed disruption or if the disruption was authentic. The FBI and the Justice Department didn’t immediately respond to requests for comment.
Colonial Pipeline Co., the operator of a critical gasoline pipeline to the Eastern U.S., became DarkSide’s latest victim this week and paid close to $5 million to the hackers, according to people familiar with the matter. The company shut down the pipeline May 7 and restarted it Wednesday.
President Biden on Thursday said his administration had been “in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks” and would “pursue a measure to disrupt their ability to operate,” though he did not elaborate. Asked if he would rule out whether the U.S. would respond with cyber operations, Mr. Biden replied “no.”
Mr. Biden also said he expected to speak to Russian President
soon about the country tolerating criminal hacking enterprises within its borders, a phenomenon that cybersecurity experts and U.S. officials have said has allowed international cybercrime originating from Russia to flourish unhindered for years.
In less than a year, DarkSide had gone from a relative unknown in the growing criminal enterprise of ransomware to one of the biggest and most consequential operators in less than a year, security researchers say. The group has grown by recruiting “affiliates”—hackers who will penetrate online networks of businesses or public institutions—with whom it works to disrupt operations. The group split the ransom money with such affiliates, taking a percentage of the funds, security researchers say.
The group’s criminal efforts brought in at least $60 million in the first seven months of operation, with $46 million of it coming in the first quarter of 2021, according to blockchain research firm Chainalysis Inc. Because Chainalysis has an incomplete picture of all of DarkSide’s activities, the ransomware gang’s total haul was likely larger, the company said.
The Colonial pipeline hack marked another major financial score for Darkside, albeit one that drew significant scrutiny and would have made it difficult to collect payments, according to security researchers
On Monday, the group issued a brief statement on its website saying it was apolitical and would take greater steps to moderate which targets it hit in the future. “Our goal is to make money and not creating problems for society,” the group wrote on its website.
“I wouldn’t be surprised if DarkSide has just said, ‘It is way too hot,’ and they decided to pull the pin on themselves,” said Winston Krone, the chief research officer with Kivu Consulting, Inc., a company that helps victims respond to ransomware incidents.
The shutdown may create challenges for companies who are trying to recover from an infection of the DarkSide ransomware. DarkSide encrypts the contents of victims’ computers, making them unusable. But the hackers are promising to provide decryption software at some time in the future, according to their statement.
Ransomware is part of an emerging and profitable criminal business that generated more than $400 million in income in 2020, according to Chainalysis. Hacking groups like DarkSide have reinvented the process through which criminal networks extort victims. Security researchers call their work ransomware-as-a-service. They make their money by offering customers—criminal hackers—a way to deploy their illegal software and extort victims via a well-designed web interface.
The affiliates are the ones who break into corporate networks, and they get most of the ransom payments—usually around 75%, according to FireEye. DarkSide writes the software, they bill the victims, host stolen data, and even handle tech support and media relations, researchers say.
—Dustin Volz contributed to this article.
Write to Robert McMillan at Robert.Mcmillan@wsj.com
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8