The attack on the Colonial Pipeline fuel distribution system in the United States is causing repercussions for the operators of the Darkside ransomware group behind it, sparking fear among other cybercriminals that they will be targeted by law enforcement.
Security vendor Intel471 said it had obtained an announcement from the DarkSide gang, posted to the Russian XSS hacking forum, addressed to affliates who would deploy the ransomware on victims’ systems.
In the announcement, written in Russian, the DarkSide operators said their ransomware affliate program is closed “due to pressure from the US”.
In winding up its ransomware-as-a-service (RaaS) program, DarkSide said it would provide affliates with decryption tools for all the companies that haven’t paid yet.
Affliates were also told that DarkSide had lost access to the public part of its infrastructure.
This included the blog on which DarkSide had publicised its extortion efforts, payments and content delivery network servers.
DarkSide complained that its hosting providers did not provide any information about the infrastructure being seized beyond that it was done at the request of law enforcement.
The criminals also said funds were seized from their payments server.
Blockchain analysts Elliptic found the Bitcoin wallet used by DarkSide to receive ransoms from victims and said the amount seized was US$5 million (A$6.4 million).
The wallet was used to receive the 75 Bitcoin ransom payment from Colonial Pipeline after the attack, and also 78.29 Bitcoin from chemical distribution company Brenntag.
Robinson said the outgoing transactions from the DarkSide wallet provided insights into how the ransomware criminals and their affiliates were laundering the extortion money.
Tracing the transactions recorded on the blockchain database, Ellpitic researcher Dr Tom Robinson found that 18 percent of the total US$17.5 million in ransom payments received by the DarkSide wallet had been sent to a small group of cryptocurrency exchanges.
Another four percent was sent to darknet marketplace Hydra where the Bitcoin could be converted into gift vouchers, prepaid debit cards or Russian fiat.
“If you’re a Russian cybercriminal and you want to cashout your crypto, then Hydra is an attractive option,” Robinson noted.
Elliptic said the information gleaned from the wallet will help law enforcement to identify the ransomware criminals.
Financial institutions and crypto exchanges will also be alerted to any client deposits that originate from the DarkSide wallet, to prevent the criminals from cashing out their Bitcoin funds.
US president Joe Biden has promised to pursue the DarkSide criminals following the Colonial Pipeline attack which has caused panic buying of fuel in parts of the country.
The threat of being hunted by US law enforcement has pushed Russian hacking forums to oust ransomware members, Advanced Intel security researcher Yelisey Boguslavskiy noted.
Exploit just banned #RaaS
“We are glad to see penetrate testers, specialists, coders, but we are not happy with lockers”
All topics related to lockers will be deleted. pic.twitter.com/iHtdhwVeP1
— Yelisey Boguslavskiy (@y_advintel) May 14, 2021
Earlier, the XSS forum announced that it, too, had banned all RaaS activity.
The fallout from the Colonial Pipeline attack has also caused the operators of the REvil and Avaddon ransomware to bar affliates from attacking governments, healthcare, educational institutions and charities, regardless of the country they’re situated in.
Intel471 said that REvil and Avaddon affliates now need pre-approval from the ransomware operators before they attack targets.