THE Colonial Pipeline is the largest operator of fuel pipelines in the United States, but this May, it was known for having suffered a ransomware attack and disbursed $ 5 million in bitcoins to recover its systems. But the most curious detail came later: the DarkSide, the group behind the attack, reportedly decided to end its activities.
The attack on the Colonial Pipeline
The ransomware compromised only the Colonial Pipeline business network, but, fearing that the problem would reach greater proportions, the company decided to disable the systems that control its pipelines.
As the Colonial Pipeline pipelines account for 45% of the fuel consumed on the east coast of the United States, the pressure to return to the company’s activities was very great.
To top it off, the company’s billing system was among those affected by ransomware. Without it, Colonial Pipeline cannot monitor fuel distribution and charge customers.
Security experts recommend that ransomware victims do not pay for the repair. Instead, authorities should be approached, and if the organization’s IT department cannot resolve the problem, a security company specializing in ransomware can be called.
By deactivating part of its systems as a precaution, Colonial Pipeline indicated that it would follow this path. However, last week, evidence surfaced that the company paid 75 bitcoins – at the time, equivalent to US $ 5 million – as a ransom to have its operations reinstated.
It was another DarkSide victory. But, days later, this story had an unexpected development.
DarkSide leaves the scene (or tries)
A survey by Chainalysis points out that DarkSide may have grossed nearly $ 50 million in the first quarter of 2021 alone. To earn so much money, the group explores a “business model” that has become known as ransomware-as-a-service: DarkSide offers the ransomware to other groups in exchange for a share of the income obtained by them.
In practice, it is an affiliate program that allows the group to earn more than if they acted alone.
But, last Thursday (13), the sites that DarkSide maintained on the dark web were inaccessible, without any previous explanation.
So far, there is no confirmation of what happened. However, a message in Russian attributed to the group and directed to affiliates was identified by security company Intel471 hours after the sites crashed.
The text says that DarkSide had access to its servers blocked. The responsible hosting service was contacted, but did not provide explanations as determined by the authorities, says another excerpt from the message.
Have more. The statement said that group funds had been moved to an unknown account.
In this regard, Elliptic claims that the equivalent of $ 5 million worth of bitcoins came out of DarkSide’s portfolio last Thursday. It was not clear, however, whether the amount was apprehended by authorities or handled by the group itself.
Because of the supposed closure of activities, the group promised to release decryption tools to organizations that were victims of its ransomware, but did not pay a ransom.
If the message is true, law enforcement officials are on the trail of DarkSide, so the group decided to disperse. The message ends with the following message: “In view of the above and due to pressure from the United States, the affiliate program has ended. Stay safe and good luck ”.
Ireland’s health service won’t pay
Last Friday (14), a ransomware took down the systems of the Health Service Executive (HSE), public health service in Ireland. It is not clear whether the attack is linked to DarkSide. Preliminary information indicates that, in fact, the Conti ransomware is responsible for the action.
The fact is that, hours after the attack was discovered, the Irish government received a ransom demand in bitcoin equivalent to US $ 20 million, but it tried to leave a message: no amount will be passed on to criminals, even with several of its members. health services having been harmed.
Working together with security companies and authorities, the HSE continues to try to restore the systems. Some, like the one that allows registration for vaccine against COVID-19, are already working.
With information: Ars Technica, The Verge.