https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/ Advertisement [10] Advertisement [13] Krebs on Security Skip to content * Home * About the Author * Advertising/Speaking DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized May 14, 2021 82 Comments The DarkSide ransomware affiliate program responsible for the six-day outage at Colonial Pipeline this week that led to fuel shortages and price spikes across the country is running for the hills. The crime gang announced it was closing up shop after its servers were seized and someone drained the cryptocurrency from an account the group uses to pay affiliates. "Servers were seized (country not named), money of advertisers and founders was transferred to an unknown account," reads a message from a cybercrime forum reposted to the Russian OSINT Telegram channel. [ds-bye] "A few hours ago, we lost access to the public part of our infrastructure," the message continues, explaining the outage affected its victim shaming blog where stolen data is published from victims who refuse to pay a ransom. "Hosting support, apart from information 'at the request of law enforcement agencies,' does not provide any other information," the DarkSide admin says. "Also, a few hours after the withdrawal, funds from the payment server (ours and clients') were withdrawn to an unknown address." DarkSide organizers also said they were releasing decryption tools for all of the companies that have been ransomed but which haven't yet paid. "After that, you will be free to communicate with them wherever you want in any way you want," the instructions read. The DarkSide message includes passages apparently penned by a leader of the REvil ransomware-as-a-service platform. This is interesting because security experts have posited that many of DarkSide's core members are closely tied to the REvil gang. The REvil representative said its program was introducing new restrictions on the kinds of organizations that affiliates could hold for ransom, and that henceforth it would be forbidden to attack those in the "social sector" (defined as healthcare and educational institutions) and organizations in the "gov-sector" (state) of any country. Affiliates also will be required to get approval before infecting victims. The new restrictions came as some Russian cybercrime forums began distancing themselves from ransomware operations altogether. On Thursday, the administrator of the popular Russian forum XSS announced the community would no longer allow discussion threads about ransomware moneymaking programs. "There's too much publicity," the XSS administrator explained. "Ransomware has gathered a critical mass of nonsense, bullshit, hype, and fuss around it. The word 'ransomware' has been put on a par with a number of unpleasant phenomena, such as geopolitical tensions, extortion, and government-backed hacks. This word has become dangerous and toxic." In a blog post on the DarkSide closure, cyber intelligence firm Intel 471 said it believes all of these actions can be tied directly to the reaction related to the high-profile ransomware attacks covered by the media this week. "However, a strong caveat should be applied to these developments: it's likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways," Intel 471 wrote. "A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants. Additionally, the operators will have to find a new way to 'wash' the cryptocurrency they earn from ransoms. Intel 471 has observed that BitMix, a popular cryptocurrency mixing service used by Avaddon, DarkSide and REvil has allegedly ceased operations. Several apparent customers of the service reported they were unable to access BitMix in the last week." This entry was posted on Friday 14th of May 2021 11:44 AM Ne'er-Do-Well News Ransomware Avaddon BitMix Colonial Pipeline ransomware attack DarkSide ransomware Intel 471 rEvil XSS [109] Post navigation - Microsoft Patch Tuesday, May 2021 Edition 82 thoughts on "DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized" 1. Play stupid games... May 14, 2021 Sounds like DarkSide learned what dictators and cybercriminals alike have known for decades: Want to shut down international logistics and shipping? Ok. Kill people by shutting down hospitals? The FBI will get around to investigating it. Commit some war crimes here and there? Maybe a condemnation and some sanctions. Fuck with America's oil? Get ready to learn about American liberty. And by liberty, I mean you're going to liberated from everything you hold dear. Reply - 1. Charlesofaberdeen May 14, 2021 You hit the nail right on the head with that comment Reply - 2. Curtis Garcia May 14, 2021 Should be automatic mandatory death penalty for this sort of piracy. Reply - 1. LinuxLove May 14, 2021 Yet the NSA didn't get in any trouble when they caused 6+ deaths and billions of dollars in damages when they refused to notify microsoft about EternalBlue, then got hacked and their exploit leaked, and caused untold amounts of damage across the world. Or when the CIA was busted hacking into Senate computers to delete evidence about the CIA's enhanced interrogation program, nobody got in trouble there. An automatic death sentence? are we North Korea? Reply - 1. Timodeous May 14, 2021 Soon it'll feel like it if Biden just keeps up making Exec Orders instead of constitutional laws Reply - 1. Bitters May 14, 2021 Kinda exactly like the previous asshole Reply - 2. TheDuck May 14, 2021 What has Biden got to do with this? What a garbage comment. Reply - 3. Joe Schmoe May 14, 2021 And queue the ignorant redhat comment. Trump still holds and will continue to hold the record for most EO's in a 4-year term. Reply - 4. Marston May 14, 2021 More than 50% of the orders that Biden has made revoke orders made by Trump. If Biden's aren't Constitutional, then neither were Trumps. ego... Reply - 5. Faux News May 14, 2021 The only president we've had in the last century that could be described as an "aspirational dictator" was Trump. Reply - 2. ReadandShare May 14, 2021 Nobody said the world is fair. Mess with the world's sole superpower at your own risk. Of course, other times, the superpower also acted as a force for good. Reply - 3. Blake Carrington May 14, 2021 You have messed with the wrong Carrington. Reply - 1. Susan May 14, 2021 I hear you Blake they sure gave! Not this Carrington but the other Carrington. Reply - 4. Dennis Baatlett May 14, 2021 These guys are modern day pirates. The solution is the same as that applied to the pirates of his day by Julius Caesar. Crucifixion. Guaranteed 100% effective against recidivism. Reply - 1. DelilahTheSober May 14, 2021 I agree completely. Sometimes traditional frontier justice is exactly what is needed. Reply - 5. W4phle_Stomp May 14, 2021 It's less important to me whether they were infiltrated by another or simply pretended to be infiltrated and absconded with the treasure. What's more important is the incessant parade of users, healthcare, industry, corporate, Gov't, SMEs, home users, who insist on using a deeply flawed proprietary OS which has about 35 years of history to prove it is deeply insecure and has always been so. It boggles first why infrastructure and utilities feel the need to have their critical systems online and not insular, protected from the internet. Second, I'm baffled why healthcare and Gov't agencies use Windows with it's historically-proven lack of security and exploitability. Though I use Linux and BSD, I'm not specifically advocating for any flavour of those above, but I am advocating for using OSes which are provably more secure - yet, they always aim for convenience over security, and if they aren't ransomed for their system's functionality, they're breached with the customers' or clients' data stolen. Reply - 1. ausoleil May 14, 2021 It's not just Microsoft products -- home routers are notoriously insecure, and some vendors (looking at you, ASUS) initially tried to claim that their insecurity was actually a feature. Commercial routers for the SMB market aren't much better, for example Sonicwall just released patches for three zero-day vulnerabilities to its hosted and on-premises email security products. Apple has its share of flaws, as does Linux and others. IOT security is an oxymoron, as is printer security -- remember how someone found 800,000+ printers with ports 9100, 515, and 631 open to the public Internet on Shodan? And that's before admin configuration mistakes and users bypassing or ignoring security practices come into play. Yeah, Microsoft is definitely a poorly secured OS by default and often by design -- but they are by no means alone. Reply - 2. Willllll May 14, 2021 convenience vs security, pick one. Have you ever tried to teach a random adult how to do something even halfway complicated with a computer? They often can't or won't learn. Windows is familiar and has been made easy to use for a long time. And are the other OS really truly more secure? or less attacked?.... Reply - 3. Sean Flanagan May 14, 2021 These attacks routinely require a user to click on a link within an email in order to infest the system. The OS has nothing to do with this problem. Reply - 1. Robert Partridge May 14, 2021 Exactly! Social Engineering exploits the weakest link in the system, the human element. And malicious actors will continue to be successful at. Reply - 6. NobodySAIDboo May 14, 2021 do not worry they are all safe ,happy and rich now in Israel,they will be on Isralie tv soon to tell how they did it,same as the 911 murderers. Reply - 1. Mr E May 14, 2021 Are you kidding? Your baseless hate for Israel disappoints me. Reply - 7. the.raw May 14, 2021 Is this for real? There's a code of conduct for ransomware deployments? Seriously? I prefer to authenticate this story, but such that it is, i must say I am disappointed. Apparently, the only way to stop a bad guy on a computer is another bad guy supplying the software. Reply - 8. Paul D Collier May 14, 2021 bamboozled Reply - 9. Notaserialkiller May 14, 2021 What are the CIA, NSA, FBI etc doing all day? Too busy making WOKE recrtuiting videos Reply - 10. Compu Smith May 14, 2021 I doubt this, entirely. Reply - 11. Stephan B Feibish May 14, 2021 If committed by a nation state it would be called an act of sabotage or an act of war. Reply - Comment navigation - Older Comments Leave a Reply Cancel reply Your email address will not be published. Required fields are marked * [ ] [ ] [ ] [ ] [ ] [ ] [ ] Comment [ ] Name * [ ] Email * [ ] Website [ ] [Post Comment] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] Advertisement [111] Advertisement [110] Mailing List Subscribe here Search KrebsOnSecurity Search for: [ ] [Search] Recent Posts * DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized * Microsoft Patch Tuesday, May 2021 Edition * A Closer Look at the DarkSide Ransomware Gang * Fintech Startup Offers $500 for Payroll Passwords * Investment Scammer John Davies Reinvents Himself? Spam Nation Spam Nation A New York Times Bestseller! All About Skimmers All About Skimmers Click image for my skimmer series. Story Categories * A Little Sunshine * All About Skimmers * Ashley Madison breach * Breadcrumbs * Data Breaches * DDoS-for-Hire * How to Break Into Security * Latest Warnings * Ne'er-Do-Well News * Other * Pharma Wars * Ransomware * Security Tools * SIM Swapping * Spam Nation * Target: Small Businesses * Tax Refund Fraud * The Coming Storm * Time to Patch * Web Fraud 2.0 The Value of a Hacked PC valuehackedpc Badguy uses for your PC Badguy Uses for Your Email Badguy Uses for Your Email Your email account may be worth far more than you imagine. Donate to Krebs On Security Most Popular Posts * Sextortion Scam Uses Recipient's Hacked Passwords (1076) * Online Cheating Site AshleyMadison Hacked (798) * Sources: Target Investigating Data Breach (620) * Trump Fires Security Chief Christopher Krebs (534) * Cards Stolen in Target Breach Flood Underground Markets (445) * Reports: Liberty Reserve Founder Arrested, Site Shuttered (416) * Was the Ashley Madison Database Leaked? (376) * DDoS-Guard To Forfeit Internet Space Occupied by Parler (374) * True Goodbye: 'Using TrueCrypt Is Not Secure' (363) * Who Hacked Ashley Madison? (361) Why So Many Top Hackers Hail from Russia [computered-580x389] Category: Web Fraud 2.0 Criminnovations Innovations from the Underground [shreddedID-copy-285x189] ID Protection Services Examined Is Antivirus Dead? Is Antivirus Dead? The reasons for its decline The Growing Tax Fraud Menace The Growing Tax Fraud Menace File 'em Before the Bad Guys Can Inside a Carding Shop Inside a Carding Shop A crash course in carding. Beware Social Security Fraud Beware Social Security Fraud Sign up, or Be Signed Up! How Was Your Card Stolen? How Was Your Card Stolen? Finding out is not so easy. Krebs's 3 Rules... Krebs's 3 Rules... ...For Online Safety. (c) Krebs on Security