Image: iStock/nevarpp

The ransomware group that targeted Colonial Pipeline may be regretting its attack in the wake of reprisals from both the U.S. government and the ransomware community. By hitting a critical infrastructure company, DarkSide has drawn attention to the problem of ransomware. That’s a positive step for the good guys; not so much for the bad guys.

SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)

On the one side, the renewed focus has prompted the White House to act by issuing an executive order on cybersecurity and vowing to go after ransomware groups. On the other side, this increased attention has triggered anxiety in the ransomware community, ultimately forcing DarkSide to shut down its operations, or so it seems.

The attack against Colonial Pipeline forced it to temporarily take its pipeline operations offline. Though the company has since brought everything back up, that relatively short-lived move contributed to a spike in gas prices and longer lines at many stations across the East Coast. The incident shows how a single attack against critical infrastructure could impact a wide section of society.

In response, President Biden signed an executive order last week calling for tighter security requirements for hardware and software, which is often riddled with vulnerabilities that cybercriminals easily exploit. Though the EO applies mostly to the federal government, the hope is that developers and vendors will better bake security into products sold to the private sector as well.

Last week, the U.S. government in the form of the FBI pointed the finger at DarkSide as the culprit behind the pipeline ransomware attack. Starting as a hacker for hire supporting ransomware-as-a-service client REvil, DarkSide struck out on its own late last year. This loose collection of cybercriminals proved successful with its own ransomware-as-a-service business in which it hires affiliates to carry out specific phases of an attack.

Speaking about the pipeline attack last Thursday and ransomware groups in general, President Biden said that the U.S. is “going to pursue a measure to disrupt their ability to operate.” He also mentioned a new Justice Department task force “dedicated to prosecuting ransomware hackers to the full extent of the law.” The president added that he doesn’t think the Russian government was behind the attack but does believe that the people behind the attack live in Russia.

This new focus on combating ransomware and the repercussions of attacking critical infrastructure has put DarkSide in hot water within the ransomware community, creating a chain of events that has affected other groups as well.

On May 13, the XSS forum, which operates as a underground Russian-language cybercrime platform, announced that it would ban all ransomware activities on its forum, including ransomware affiliate programs, ransomware for rent and the sale of ransomware software. In the past, XSS was a helpful haven for ransomware groups to recruit affiliates for REvil, Babuk, DarkSide and others, according to security firm Flashpoint. The decision to ban further activity was based on ideological differences between the forum and ransomware operators as well as the media attention from high-profile ransomware incidents, the administrator of XSS said.

Within hours of XSS’ move, other criminal forums followed suit. That same evening, Russian language forum Exploit announced that it would ban ransomware partner programs and remove all topics related to ransomware, according to digital risk company Digital Shadows. The forum’s administrator said that they were unhappy about all the unwanted attention that affiliate programs were bringing to the forum. The next day, RaidForums also revealed that it was banning ransomware on its forum, Digital Shadows added.

Further, the infamous REvil group issued a statement through its representative, known as UNKN, that affiliates would now be required to gain permission to target a specific organization, BleepingComputer reported. This requirement would represent a major shift from the past when affiliates were typically free to hit any victim they chose. The statement also established two specific restrictions: 1) Attacks against the social sector (e.g, health care, educational institutions) are prohibited and 2) Attacks against the government sector (state) of any country are forbidden.

But the brunt of the pushback has been against DarkSide itself. On May 13, the group’s operators said they would immediately stop their ransomware-as-a-service program, issuing decryptors to all affiliates who could then deal directly with victims and settling all financial obligations by May 23, according to cybercrime intelligence firm Intel 471. The group also told affiliates that its infrastructure had been disrupted by an unspecified law enforcement agency.

In a message sent to affiliates, DarkSide said that it lost access to its blog, payment server and CDN servers and that its hosting panels have been blocked. The group also said that its landing page, servers and other resources would be taken down within 48 hours.

However, DarkSide’s apparent exit from the world of ransomware may not be the last we hear of them. Cybercriminals who’ve drawn undue attention to themselves have a habit of resurfacing at some point with a new identity. DarkSide could simply be trying to lie low until the media coverage passes, planning to pop up again when the heat is off. And other ransomware groups are probably using the same tactic.

“It’s likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways,” Intel 471 said. “A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants.”