DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized – Krebs on Security


The DarkSide ransomware affiliate program responsible for the six-day outage at Colonial Pipeline this week that led to fuel shortages and price spikes across the country is running for the hills. The crime gang announced it was closing up shop after its servers were seized and someone drained the cryptocurrency from an account the group uses to pay affiliates.

“Servers were seized (country not named), money of advertisers and founders was transferred to an unknown account,” reads a message from a cybercrime forum reposted to the Russian OSINT Telegram channel.

“A few hours ago, we lost access to the public part of our infrastructure,” the message continues, explaining the outage affected its victim shaming blog where stolen data is published from victims who refuse to pay a ransom.

“Hosting support, apart from information ‘at the request of law enforcement agencies,’ does not provide any other information,” the DarkSide admin says. “Also, a few hours after the withdrawal, funds from the payment server (ours and clients’) were withdrawn to an unknown address.”

DarkSide organizers also said they were releasing decryption tools for all of the companies that have been ransomed but which haven’t yet paid.

“After that, you will be free to communicate with them wherever you want in any way you want,” the instructions read.

The DarkSide message includes passages apparently penned by a leader of the REvil ransomware-as-a-service platform. This is interesting because security experts have posited that many of DarkSide’s core members are closely tied to the REvil gang.

The REvil representative said its program was introducing new restrictions on the kinds of organizations that affiliates could hold for ransom, and that henceforth it would be forbidden to attack those in the “social sector” (defined as healthcare and educational institutions) and organizations in the “gov-sector” (state) of any country. Affiliates also will be required to get approval before infecting victims.

The new restrictions came as some Russian cybercrime forums began distancing themselves from ransomware operations altogether. On Thursday, the administrator of the…

Source…