DarkSide ransomware creators lose control of their servers and cryptocurrency addresses

Last weekend a group associated with the developers of the DarkSide ransomware attacked Colonial Pipeline systems, which manages the most important U.S. pipelines. This attack has provoked strong responses from authorities, including President Joe Biden, who is committed to disrupting the operations of these hackers.

However, the developers of this variant of ransomware claim to have lost control of their web servers and even some of the funds obtained from these attacks: “Just a few hours ago we lost access to the public part of our infrastructure, including our blog, payment servers and DoS servers,” one of the ransomware operators mentioned.

“These servers are not available via SSH, and hosting panels are blocked,” added the Darkside operator while complaining that the web hosting provider refused to cooperate. The Darkside trader also reported that cryptocurrency funds were also withdrawn from the payment server of this hacking group, which hosted ransom payments made by victims.

These funds should have been split between the developers of the ransomware and the attackers, although during this incident they were sent to a cryptocurrency wallet controlled by an unidentified actor.

As mentioned in previous paragraphs, this incident occurred after authorities in the U.S. disclosed a series of actions to track DarkSide activities. President Biden mentioned that he would devote considerable efforts to disrupt the operations of this and other ransomware-as-a-service (RaaS) groups.

Moreover, some ransomware analysts point out that the announcement of this group could also be a ruse, as in reality the U.S. government only disclosed its intention to investigate its operations: “DarkSide hackers are only trying to take advantage of Biden’s statements to hide its infrastructure and escape with as much money as possible without sharing any of the loot with attack operators” , says researcher Dmitry Smilyanets.

In this regard, a Justice Department (DOJ) spokesperson only added that the investigation is still ongoing, so no further details can be provided.

Just an hour after the announcement of DarkSide, REvil operators also posted a statement on their dark web platform mentioning that soon, hackers will stop operating as a ransomware platform as a service, so they will return to work as a private operation, which in the cybercriminal community means that they will only work with a small number of accomplices.

This message has been removed, although experts report that REvil also pledged not to attack critical sectors such as health services or basic education institutions, as this generates too much attention from the authorities.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.