The Colonial Pipeline story has taken an unexpected plot twist after Darkside announced the cessation of their criminal operations.
Darkside is the Russian criminal group responsible for the Colonial Pipeline cyberattack that shut down fuel supply to the U.S east coast. The reason for this sudden change of heart was Darkside’s lost access to its ransomware infrastructure and a mysterious theft from their bitcoin wallet.
Darkside operated a Ransomware-as-a-Service operation, where they offered their ransomware to affiliates and earned a percentage of each successful ransom payment. Darkside notified its affiliate network of their sudden decision via a post on their website.
The announcement explained that a public portion of the criminal group’s ransomware infrastructure was seized by an unspecified law enforcement agency.
The following assets were also seized:
- The group’s name-and-shame blog
- The group’s ransom payment collection website
- The group’s Content Delivery Network (CDN).
Darkside also said that just a few hours prior to their announcement, an unauthorized transfer of funds occurred from their cryptocurrency wallet linked to ransomware payments from victims
It’s unknown whether the exfiltration of Darkside’s funds or the damage to their website was caused by a United States retaliation campaign. Usually websites seized by U.S. law enforcements are branded with a notice by the F.B.I, Darkside’s website is currently just inaccessible.
While fuel delivery operations have finally returned to normal, Colonial Pipeline is still has a lot of cleaning up to do, as evidenced by the error message replacing their website at the time of writing this.
But a clean-up operation may involve much more than just re-connecting a website.
IFM Investors, an Australian investment management company, owns a 16% stake in Colonial Pipeline. The company is also owned by 27 Australian union-and-employer-backed industry super funds which links a swathe of the Australian superannuation sector to the Colonial Pipeline incident.
Other victims may also surface in the coming weeks since the cyberattacks on service providers tend to impact multiple entities connected through shared data resources.
While Darkside’s liquidation is a happy ending to this tumultuous story, it may not last. After a defeat, cybercriminal groups often resurface under different names and a new reputation.
The problem of ransomware attacks will not be solved by hoping criminal groups disappear. The onus is on organizations to strengthen their security posture.