Colonial Pipeline Hackers Got Hacked, Shut Down, and Money Stolen Back
DarkSide, the hacking collective behind the Colonial Pipeline hack, has reportedly lost access to their own systems and lost nine months' worth of ransom payments totaling 90 million dollars.
This comes days after the FBI formally confirmed DarkSide as the perpetrators of the hack that shut down the massive Colonial Pipeline, promising to “disrupt’ the hacker group. After being completely offline for days and sending half the country scrambling for plastic bags to fill the gasoline, Colonial themselves relented and paid DarkSide a 5 million dollar ransom to regain access to their systems.
Shortly after, blockchain analysts, Elliptic, identified the Bitcoin wallet belonging to DarkSide and reported that the collective had taken in close to a hundred million dollars in ransom payments over the previous nine months, collecting an average of 1.9 million dollars across its 47 victims.
But before DarkSide could ride off into the sunset with their saddlebags full of bitcoin, the group lost control of their own servers and had their bitcoin wallet emptied. According to security researcher Intel 471, three days after the FBI made their announcement, DarkSide released a memo on their dark web site stating that they had indeed lost access to their systems, their payment gateways and funds and would be ceasing all operations. They further added that they would be sending decryption tools to the remaining victims who had not yet paid a ransom.
The full memo, translated in English, reads as:
“Starting from version one, we promised to speak about problems honestly and openly. A couple of hours ago, we lost access to the public part of our infrastructure, in particular to the blog, payment server, CDN servers. At the moment, these servers cannot be accessed via SSH, and the hosting panels have been blocked.
The hosting support service doesn't provide any information except "at the request of law enforcement authorities." In addition, a couple of hours after the seizure, funds from the payment server (belonging to us and our clients) were withdrawn to an unknown account.
The following actions will be taken to solve the current issue: You will be given decryption tools for all the companies that haven't paid yet.
After that, you will be free to communicate with them wherever you want in any way you want. Contact the support service. We will withdraw the deposit to resolve the issues with all the affected users.
The approximate date of compensation is May 23 (due to the fact that the deposit is to be put on hold for 10 days on XSS).
In view of the above and due to the pressure from the US, the affiliate program is closed. Stay safe and good luck. The landing page, servers, and other resources will be taken down within 48 hours”
Apparently, the blowback on DarkSide has been severe enough to send ripples throughout the blackhat hacking community. Another Ransom-as-a-Service (RaaS) collective, Babuk, also announced they would be changing operations and dropping the RaaS wing of their operations and “handing it off” to one of their affiliates.
One of the most popular cybercrime forums for Russian-speaking users also announced it would be wiping clean anything RaaS-related on the forum and banning users who discussed ransomware on the site.