The cybercriminal outfit that U.S. authorities have said infiltrated the network of a major pipeline operator, leading to gas shortages and rising prices, is claiming that it is disbanding.
DarkSide, which operates ransomware as a service, announced Thursday they were stopping operations.
In an announcement in Russian, the group said they lost access to part of its infrastructure, along with some of their financial assets, after an apparent raid by law enforcement authorities.
Affiliates that use DarkSide’s ransomware were told they will be given tools so victims can regain access to data that attackers held hostage in return for payment.
“In view of the above and due to the pressure from the US, the affiliate program is closed. Stay safe and good luck. The landing page, servers, and other resources will be taken down within 48 hours,” the announcement read, according to a translation by Intel 471, a group of intelligence operators.
The attack on Colonial Pipeline earlier this month prompted the Georgia-based company to shut down certain parts of its network. That led to a major U.S. pipeline going offline, which in turn led directly and indirectly to gas shortages and rising prices at the pump.
Reports suggested Colonial paid millions of dollars to get a tool to regain access to system parts the hackers invaded, but the company has declined to confirm that publicly, as has the U.S. government.
The FBI this week said the DarkSide ring was responsible for the compromise of Colonial networks. DarkSide appeared to acknowledge that much in an earlier statement, saying they are apolitical with the goal of making money and not creating problems for society.
“From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future,” it said.
DarkSide utilizes a highly targeted approach to attacking victims by using custom ransomware and a corporate-like method of communication throughout their attacks, according to Digital Shadows, a cybersecurity firm. DarkSide previously claimed it did not attack companies in certain sectors, like education.
Security researchers expressed skepticism of DarkSide’s new announcement.
Robert Lee, co-founder and CEO of Dragos, said on Twitter that the move “is almost certainly a rebranding attempt to avoid the heat.”
DarkSide and another ransomware group, Babuk, which said it was shifting operations on Thursday after taking credit for obtaining and leaking information from Washington’s police department, took the actions in reaction to “the high-profile ransomware attacks covered by the media this week,” Intel 471 said.
“However, a strong caveat should be applied to these developments: it’s likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways. A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants,” it added.
President Joe Biden told reporters earlier Thursday that the U.S. government has “strong reason” to believe the Colonial hackers were based in Russia but were not backed by the Russian government.
“We have been in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks,” he said. “We’re also going to pursue a measure to disrupt their ability to operate. And our Justice Department has launched a new task force dedicated to prosecuting ransomware hackers to the full extent of the law.”
An international task force that included officials from Microsoft, Amazon, New York state, and the U.S. government, said in a report sent to the Biden administration last month that the United States should “execute a sustained, aggressive, whole of government, intelligence-driven anti-ransomware campaign, coordinated by the White House.”