The dark web page belonging to DarkSide, the group accused of the ransomware attack on Colonial Pipeline Co., has gone down, and the group has told other hackers that it is shutting down amid law-enforcement pressure.
The Colonial breach forced the company to shut down operations, triggering fuel shortages in parts of the U.S. Some evidence has linked DarkSide’s operations to Russia and other Eastern European countries.
Multiple hackers have cited a May 13 announcement shared with DarkSide affiliates saying that the group had lost access to its blog and payment servers and would be closing, according to Kimberly Goody, senior manager of financial criminal analysis at FireEye Inc.’s Mandiant.
DarkSide provides its malware to customers, or affiliates, in what is known as “ransomware as a service.”
“The post cited law enforcement pressure from the United States for this decision,” Goody said in a statement. Mandiant hasn’t been able to independently verify the claims.
Ransomware is a type of malware that encrypts a victim’s data; the groups sometime steal data too. The hackers then ask for a payment to unlock the files or return the stolen data.
DarkSide maintains at least eight domains or websites on the dark web. One is a public-facing website used by DarkSide and its hackers-for-hire to name and shame victims who’ve ignored or refused the group’s ransom demands. The other seven sites are used by the group to host the data they’ve stolen.
Four of those seven domains are also down. Three are loading blank, white pages. One simply reads, “Darkside CDN.” CDN stands for content delivery network.
Dark web researchers speculated that the outage could be DarkSide’s effort to duck law enforcement given the turmoil caused by the attack. “DarkSide is likely going to go quiet and rebrand itself, as we’ve observed with other dark net ransomware operators in the past when they became targets of law enforcement,” said Mark Turnage, co-founder of DarkOwl, a dark web and cyber research firm.
Some ransomware groups maintain pages on the dark web where they post stolen documents to pressure victims into paying, or list the names of companies that have refused their demands. DarkSide’s site posted what appeared to be three new victims on its site as recently as May 12, as they continued to leak new data on the site for existing digital hostages.
In a message posted after the Colonial attack, the group hinted at contrition and that a “partner” might be to blame.
“We are apolitical. We do not participate in geopolitics,” the message said. “Our goal is to make money and not creating problems for society. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”