DarkSide — the ransomware group that disrupted the distribution of gasoline across much of the US this week — has been misled, making it unclear whether the group is shutting down, suspending or changing its operations, or just an exit scam. orchestrates.
On Thursday, all eight dark websites that DarkSide used communicated with the public Went down, and they will remain unavailable as of publishing time. Overnight, a message attributed to DarkSide claimed, without providing any evidence, that the group’s website and content distribution infrastructure had been seized by law enforcement, along with the cryptocurrency it had received from victims. .
The dog ate our money
“At this time, these servers are not accessible via SSH and the hosting panels are blocked,” the message said, according to a translation of the Russian-language message published Friday by security firm Intel471. “The hosting support service does not provide any information except ‘at the request of law enforcement authorities’. In addition, a few hours after the seizure, money was debited from the payment server (ours and our customers’) to an unknown account.”
The post further claimed that DarkSide would distribute a decryptor for free to all victims who have not yet paid the ransom. So far, there are no reports of the group living up to that promise.
If true, the seizures would represent a major coup for law enforcement. According to recently released figures from cryptocurrency tracking company Chainalysis, DarkSide netted at least $60 million in its first seven months, with $46 million in the first three months of this year.
Identifying a hidden Tor service would also be a huge score, as it would likely mean that the group made a major configuration mistake when setting up the service or that law enforcement is aware of a serious vulnerability in the way it runs. dark web works. (Intel471 analysts say some of DarkSide’s infrastructure is open to the public, i.e. the regular Internet, so that malware can connect to it.)
But so far, there is no evidence to publicly confirm these extraordinary claims. When law enforcement agencies from the US and Western European countries seize a website, they usually post a notice on the front page of the site announcing the seizure. Below is an example of what people saw after trying to visit the Netwalker group site after the site was deleted:
So far, none of the DarkSide sites display such a notification. Instead, most of them time out or show blank screens.
What is even more questionable is the claim that the group’s sizable cryptocurrency holdings have been taken. People who have experience using digital currencies know that they should not store them in ‘hot wallets’, digital vaults connected to the internet. Because hot wallets contain the private keys needed to transfer funds to new accounts, they are vulnerable to hacks and the types of attacks claimed in the mail.
Before law enforcement could confiscate the digital currency, DarkSide operators would likely have had to store it in a hot wallet and the currency exchange used by DarkSide would have to cooperate with law enforcement or have been hacked.
I highly doubt any ransomware group would keep its profits in a hot wallet on a cryptocurrency exchange that would cooperate with law enforcement. They only go to shady exchanges when they have to launder the money. Even then, blocking would be more credible than transfer.
— Vess (@VessOnSecurity) May 14, 2021
It’s also possible that accurate tracking by an organization like Chainalysis identified wallets receiving funds from DarkSide, and then police seized the funds. Indeed, Elliptic, a separate blockchain analytics company, reported that it had found a Bitcoin wallet used by DarkSide to receive payments from its victims. On Thursday, Elliptic reported that $5 million had been emptied.
It is unknown at this time whether that transfer was initiated by the FBI or another law enforcement group, or by DarkSide itself. Regardless, Elliptic said the wallet — which had received 57 payments from 21 different wallets since early March — provided important clues for researchers to follow.
“What we find is that 18% of Bitcoin has been sent to a small group of exchanges,” wrote Elliptic co-founder and chief scientist Tom Robinson. “This information will provide law enforcement with crucial leads to identify the perpetrators of these attacks.”
Nonsense, hype and noise
DarkSide’s post came when a prominent criminal underground forum called XSS announced it was banning all ransomware activity, a major turnaround from the past. The site was previously a major source for ransomware groups REvil, Babuk, DarkSide, LockBit, and Nefilim to recruit affiliates, who use the malware to infect victims and share a portion of the revenue generated in return. A few hours later, all the DarkSide posts posted on XSS had come down.
In a Friday morning post, security firm Flashpoint wrote:
According to the XSS administrator, the decision is partly based on ideological differences between the forum and ransomware operators. In addition, the media coverage of high profile incidents has resulted in a “critical mass of nonsense, hype and noise”. The XSS statement offers some reasons for its decision, most notably that ransomware collectives and their associated attacks generate “too much PR” and increase geopolitical and law enforcement risks for a “danger.”[ous] level.”
The XSS administrator also claimed that when “Peskov [the Press Secretary for the President of Russia, Vladimir Putin] being forced to apologize in front of our overseas ‘friends’ – this is a bit too much.” They hyperlinked to an article on the Russian News website Kommersant titled “Russia has nothing to do with hacking attacks on a pipeline in the United States” as the basis for these claims.
Within hours, two other underground forums, the Exploit and Raid forums, had also banned posts about ransomware. according to images circulating on Twitter.
REvil, meanwhile, said it banned the use of its software against health, education and government organizations, The Record reported.
Ransomware at a crossroads
XSS and REvil’s actions represent a major short-term disruption to the ransomware ecosystem as they remove a key recruiting tool and source of revenue. Long-term effects are less clear.
“In the long run, it’s hard to believe that the ransomware ecosystem will disappear completely as operators are financially motivated and the programs deployed have been effective,” Intel471 analysts said in an email. They said ransomware groups are more likely to “go private,” meaning they will no longer recruit publicly affiliated companies on public forums or end their current operations and rebrand under a new name.
Ransomware groups can also change their current practice of encrypting data so that they are unusable by the victim, while also downloading the data and threatening to make it public. This method of double extortion aims to increase the pressure on victims to pay. The Babuk ransomware group has recently started phasing out the use of malware that encrypts data, while maintaining its blog that names and shames victims and publishes their data.
“This approach allows ransomware operators to reap the benefits of a blackmail event without having to deal with the public ramifications of disrupting the business continuity of a hospital or critical infrastructure,” the Intel471 analysts wrote in the e-mail. -mail.
For now, the only evidence that DarkSide’s infrastructure and cryptocurrency has been seized are the words of admitted criminals, barely enough to warrant confirmation.
“I could be wrong, but I suspect this is just an exit scam,” Brett Callow, a threat analyst at security firm Emsisoft, told Ars. “DarkSide can sail into the sunset — or, more likely, rebrand — without having to share the ill-gotten gains with their partners in crime.”