Darkside Retreats to the Dark

After announcing that its criminal infrastructure has been taken down due to U.S. law enforcement pressure, the Darkside ransomware gang says it's retreating. But is it?

The Darkside gang began last Friday with a bang; but they may be ending their operations a week later with a whimper. Or they may be pulling another scam — this time to cheat affiliates out of their share of the ransom take.

After pulling in at least $9 million from two victims — $5 million paid by Colonial Pipeline on May 8 and about $4.4 million paid by the chemical distribution company Brenntag on May 11 — the developers behind the Darkside ransomware went offline.

Their dark web site — previously accessible only through the Tor browser — became unavailable on Thursday, and someone from a rival ransomware gang posted a message to a forum that was purportedly from the developer of the Darkside ransomware code. The message said the Darkside founders had lost access to the site where they hosted and published data stolen from ransomware victims who refused to pay, and they also lost access to the payment server and other infrastructure they need to collect payment and run their operations.

"A few hours ago, we lost access to the public part of our infrastructure, namely : Blog, Payment server, DOS servers," reads a since-deleted message from a user called Darksupp, according to The Record, a publication of Recorded Future. The service provider that hosted the infrastructure told the Darkside operators that the sites and servers were taken down "at the request of law enfocement [sic] agencies.” Darksupp also said that cryptocurrency had been withdraw from the wallet they used to store payments from ransomware victims.

There’s reason to believe that at least some of this is true. Reuters and Bloomberg reported earlier this week that companies assisting Colonial Pipeline in their response to the incident worked with the FBI to get a hosting provider in New York to shut down a server that was storing data stolen from Colonial Pipeline before the thieves could transfer it to Russia, where the perpetrators are believed to be based.

And on Friday, Elliptic, a blockchain analytics company which also makes compliance tools for cryptocurrency businesses to monitor transactions, reported that it had identified the Bitcoin wallet used by the Darkside gang. The company said that on Thursday, the wallet — which still held $5 million in Bitcoin — was emptied.

Some have suggested this could be a ruse on the part of the Darkside gang to avoid sharing ransom proceeds with their affiliates who carried out the ransomware operation against Colonial Pipeline. Without knowing where the funds went, however, it’s difficult to know if the FBI seized it or if the Darkside gang emptied the wallet themselves.

The wallet, according to Elliptic, became active on March 4th and received 57 payments from 21 other Bitcoin wallets, totalling $17.5 million.

“Some of these payments directly match ransoms known to have been paid to DarkSide by other victims, such as 78.29 BTC (worth $4.4 million) sent by chemical distribution company Brenntag on May 11,” the company noted.

If authorities did seize $5 million in Bitcoin that was still sitting in the Darkside wallet, it’s only a fraction of what the criminal syndicate had already laundered out of the wallet since March.

According to Elliptic, about 18% of the wallet’s contents was sent to a small group of cryptocurrency exchanges, where Bitcoin is traded among buyers and sellers. “This information will provide law enforcement with critical leads to identify the perpetrators of these attacks,” the company noted. “An additional 4% has been sent to Hydra, the world’s largest darknet marketplace, servicing customers in Russia and neighboring countries.”

Hydra allows users to cash out their Bitcoin by converting it to cash or loading sums onto prepaid debit or gift cards.

In addition to Darkside’s retreat, another top ransomware group known as REvil has announced that it plans to stop advertising its ransomware service and instead “go private” by working with only a small group of trusted affiliates, The Record reported.

Some are cautioning that the moves by Darkside and REvil don’t mean their activity will stop; just that the operators plan to become less flashy in order to attract less law enforcement attention.

“I sincerely hope the Infosec community and media don’t lose their minds over thinking DarkSide is actually shutting down when it’s almost certainly a rebranding attempt to avoid the heat,” Robert M. Lee, CEO of the security firm Dragos wrote on Twitter on Friday.

See also:

Anatomy of a $2 Million Darkside Ransomware Breach

US Gov Issues Emergency Order While Colonial Pipeline Is Down

Ransomware Infection on Colonial Pipeline Shows Potential for Worse Gas Disruption