The group behind the ransomware attack of Colonial Pipeline that led to huge spikes in fuel prices across the country has reportedly quit after its servers and cryptocurrency was seized.
Cybersecurity researcher Brian Krebs wrote last Friday that Darkside, the gang behind the ransomware of the same name, announced on a cybercrime forum that it can’t operate since its funds and servers are no longer available.
Krebs cited a message from a cybercrime forum that was reposted to the Russian OSINT Telegram channel. The group said its servers were seized by an unnamed country and its money was transferred to an unknown account.
“A few hours ago, we lost access to the public part of our infrastructure,” the message continues, explaining the outage affected its victim shaming blog where stolen data is published from victims who refuse to pay a ransom.
“Hosting support, apart from information ‘at the request of law enforcement agencies,’ does not provide any other information,” the DarkSide admin says. “Also, a few hours after the withdrawal, funds from the payment server (ours and clients’) were withdrawn to an unknown address.”
DarkSide organizers also said they were releasing decryption tools for all of the companies that have been ransomed but which haven’t yet paid.
“After that, you will be free to communicate with them wherever you want in any way you want,” the instructions read.
Krebs says the message also includes passages authored by the leader of the REvil ransomware-as-a-service platform, which is believed to be linked to DarkSide due to similarities in code and members.
Colonial Pipeline said it restarted normal operations around 5 p.m. on May 12, and reportedly paid nearly $5 million in ransom to DarkSide, according to a Bloomberg report. They reportedly did so just hours after the attack as the largest U.S. pipeline operator was under extreme pressure to resume normal operations to supply fuel to a massive part of the the East Coast.
The pipeline was knocked offline beginning Friday May 7 when it took most of its systems offline to limit the impact of the attack.