DarkSide was launched to shake down big game targets and its attacks have a veneer of professionalism attached to them. Since its launch, it has been on the news. However, the latest attack that shook up the world is the attack on Colonial Pipeline.
A brief history
The Colonial Pipeline, which carries fuel along a path of 5,500 miles all the way from Texas to New Jersey, was hacked by DarkSide ransomware operators. This ended up being the largest impact on the U.S. energy system from a cyberattack. The company ended up paying $5 million in ransom. Nevertheless, it is crucial that we take a look into the ransomware gang that caused such severe damage to critical infrastructure.
- It operates in the Ransomware-as-a-Service (RaaS) domain, and five affiliates have been identified to date.
- DarkSide amalgamates data exfiltration and extortion with crypto-locking data.
- It maintains a blog in Tor to boast about the networks its operators compromised. Moreover, the threat actor may also launch DDoS attacks against companies unwilling to pay the ransom.
What did DarkSide say about the attack?
The ransomware gang published a press release, indicating that the attack might not have gone according to plan.
- The statement says that the gang is apolitical and is unwilling to be tied to geopolitical warfare.
- It also states that the group’s aim is to make money and not create issues for society. DarkSide operators plan on vetting their targets before the affiliates encrypt the networks.
- Furthermore, the release suggests that the attack prompted the administration to declare it as a national emergency and hence, was a mistake.
What goes around comes around
- News shared by the ‘Unkn’ threat actor, a public representative of the REvil ransomware group, states that the DarkSide operation has reportedly shut down.
- The gang, allegedly, lost access to the public part of its infrastructure, including its payment and CDN servers.
- In addition, a DarkSide operator claimed that the crypto funds were withdrawn from their payment server and transferred to an unknown wallet.
U.S. pressures or exit scam?
- The operators announced to shut down its RaaS operations and compensate outstanding financial obligations by May 23.
- This sudden development followed right after the U.S. authorities announced their intention to go after the gang.
- However, it is also suspected that DarkSide’s announcement can be a ruse as U.S. officials have made no other announcement.
- The group is surmised to have used President Biden’s announcement as a cover-up to shut down its infrastructure and run away the affiliates’ money.
The bottom line
Ransomware has evolved from a nuisance to one of the most imminent threats faced by organizations worldwide. Thus, there is an urgent need for incident response plans and risk mitigation capabilities. Moreover, even if DarkSide were to step back from attacking critical infrastructure, there is no guarantee that other gangs will follow suit. Therefore, beefing up security is the only way to not fall prey to these attacks.