The DarkSide ransomware gang blamed for attacking Colonial Pipeline and disrupting fuel supplies across the US last week has apparently closed shop, as per cybersecurity researchers.
DarkSide pinned last week’s Colonial attack on one of its customers, which leveraged the gang’s ransomware-as-a-service model to use its malicious tools. The cyber criminals claimed to be apolitical and were just in the game to make money.
Given the statements from the US authorities following the attack, many were expecting a strong response from the country.
- These are the best endpoint protection tools
- Check our list of the best firewall apps and services
- Shield yourself with these best identity theft protection services
“Servers were seized (country not named), money of advertisers and founders was transferred to an unknown account,” reads a message from a cybercrime forum reposted to the Russian OSINT Telegram channel as spotted by security researcher Brian Krebs.
Following the loss of its infrastructure, security firms such as FireEye and Intel 471 claim that DarkSide has told associates that it was left with little option but to shut down, reports the Wall Street Journal.
State-sponsored action?
The attack seems to have precipitated US President Joe Biden to sign an executive order that outlines steps for software vendors to engage with the government in order to prevent possible future cyberattacks.
President Biden also confirmed that the FBI has strong evidence to believe that the attack originated in Russia, but added that there’s nothing to suggest that the Russian government had any part to play in the attack.
He further confirmed that his administration was “in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks” and would “pursue a measure to disrupt their ability to operate.”
Significantly, when asked if he would rule out whether the U.S. would respond with cyber operations, President Biden replied with an emphatic “No.”
Changing tack?
While it appears that the shutdown is due to US involvement, some cybersecurity experts think it might all just be an eyewash.
“I wouldn’t be surprised if DarkSide has just said, ‘It is way too hot,’ and they decided to pull the pin on themselves,” said Winston Krone, the chief research officer with Kivu Consulting, Inc., which helps victims respond to ransomware incidents.
Krone believes that DarkSide might simply reappear under another name, once the heat has blown over.
- Protect your devices with these best antivirus software
