DarkSide Group Hit by Server Shutdowns
DarkSide is the bad actor entity that runs the DarkSide ransomware-as-a-service operation. DarkSide are responsible for the two major ransomware attacks that took place just last week. One targeted US fuel supplier Colonial Pipeline and resulted in a $5 million ransom payout. The other was aimed at the European branches of Toshiba corporation. In the wake of those successful attacks, DarkSide announced that it has now lost access to a sizable portion of its servers.
The DarkSide group, faithful to its promise to remain transparent on its website and inform its potential criminal customers about the state of affairs, announced that it no longer had access to the servers responsible for its blog, its payment processing and DoS infrastructure. The announcement was made on a dark web forum and it appears that DarkSide's hardware has been seized.
Naturally, the threat actor did not mention which country the seized servers were located or which country's authorities were responsible for the takedown. The same announcement stated that the money from affiliate jobs and DarkSide's cut of it has all been moved to an "unknown account".
This is big news, considering what major ransomware attacks the group pulled off in a very short span of time. DarkSide had previously threatened that it had already attacked another handful of victims, with Toshiba probably being one of those. It remains to be seen whether the remainder of the attacks will come to fruition.
The DarkSide server takedown had a ripple effect on the broader underground hacker community. Threatpost reports that a number of underground hacker forums took immediate action and deleted any and all posts and topics related to ransomware.
Security researchers also discovered that REvil, another threat actor that runs a ransomware-as-a-service operation, imposed a number of new restrictions on its future ransomware licensees. REvil will not be performing "pre-moderation" of its partners. The threat group also explicitly stated that it will stop any attempts to have its ransomware used by third parties on any governmental, public, health or educational entities.
This is partly in line with DarkSide's own policy, as DarkSide has a strange code of conduct, having vowed never to attack healthcare or educational institutions.
Another ransomware gang operating the Avaddon ransomware also issued notices that all ransomware licensees that want to make use of the group's ransomware toolkit must first coordinate their targets with the top brass of the group first.
ZDNet reported that a large cybercriminal forum that contains posts in Russian has removed all DarkSide posts from its pages and has banned any further discussion and posts about the DarkSide group. There is no hard information on what exactly happened with DarkSide's servers, but it appears that the takedown sent a message to other ransomware groups and hackers across the world.