Russia-based cyber-extortionist Darkside appeared out of business Friday after unknown actors shut down the servers of the group, which had forced the closure of a large US oil pipeline in a multi-million dollar ransomware scam.
US cyber security firm Recorded Future said that Darkside had admitted in a web post that it lost access to certain servers used for its web blog and for payments.
Recorded Future threat intelligence analyst Dmitry Smilyanets said he found a Russian language comment on a ransomware website ostensibly from "Darksupp", described as the operator of Darkside.
"A few hours ago, we lost access to the public part of our infrastructure, namely: Blog. Payment server. DOS servers," Darksupp wrote.
Accessed via TOR on the dark web, the Darkside site address showed a notice saying it could not be found.
Recorded Future reported that the Darkside operator also said cryptocurrency ransom payments had been withdrawn from its server, dealing a setback to the group which had marketed itself as a formal business for hijacking victims' IT systems until they paid to unlock them.
Speculation focused on who could have taken down Darkside's computers after it had spent the past half-year extorting millions of dollars from companies which fell victim to its ransomware.
Some suspected that the US military's Cyber Command took action, pointing to the Twitter account of the Pentagon's 780th Military Intelligence Brigade, a hacking unit that retweeted the Recorded Future report shortly after it came out.
Asked in a Congressional hearing Friday if they were taking action against Darkside, Cyber Command Commander General Paul Nakasone said he would not discuss the unit's operations.
– Ireland hit by ransomware –
The Darkside episode came as ransomware actors continued to wreak havoc across the globe.
Ireland's health authority said Friday it had shut down its computer systems after experiencing a "significant ransomware attack."
And another extortionist group, Babuk, continued to release sensitive online files stolen from the Washington metropolitan police department. It has demanded a seven-figure payout from the main security body of the US capital city.
Darkside, which only surfaced online late last year, was behind the attack last week on Colonial Pipeline that forced the shutdown of its network shipping gasoline, diesel and aviation fuel across much of the eastern half of the United States.
That sparked fuel shortages and long lines at gas stations across much of the southeast.
On Thursday Colonial said it had resumed fuel deliveries along its 5,500 mile (8,850 kilometers) pipeline amid unconfirmed reports it had paid Darkside $5 million to end the cyber-siege.
The attention that the Colonial shutdown brought to Darkside and the apparent attack on it appeared to spark turmoil in the flourishing ransomware "industry," in which hackers and owners of the ransomware software and payment operations openly collaborate on mainly Russian language forums.
US President Joe Biden said that even though US intelligence did not link the Russia-based hackers to the Russian government, he would nevertheless bring up the issue with President Vladimir Putin in a summit tentatively planned in the coming months.
One such forum, XSS, announced Thursday a ban on sales and rentals of ransomware, according to Digital Shadows, a cyber security firm.
– $17.5 million since March –
Nevertheless, ransomware extortion continued to proliferate. Various groups, including Darkside before it was shut down, posted fresh information on companies whose data had been hacked and was being held for payments that can run into the millions of dollars.
Elliptic, a specialist in crypto currency business and blockchain systems, said it had tracked down the bitcoin wallet used by Darkside to receive some payments.
Elliptic said the wallet had received a payment of 75 bitcoin ($3.8 million) from Colonial on May 8.
It said the wallet, active since March 4, had received a total of 57 bitcoin payments worth $17.5 million.
Security firms said Darkside appeared to shut down but did not rule out the possibility that they could reconstitute under another name or that others could continue to use their software.
"There is some speculation by other actors that this could be an exit scam," noted Kimberly Goody at Mandiant Threat Intelligence, part of the FireEye security group.