Colonial Hackers Shut Down Service Amid Pressure From U.S.

The group suspected of being behind the massive Colonial Pipeline Co. attack has told other hackers that it plans to shut down its ransomware-as-a-service operation amid pressure from law enforcement.

The group DarkSide told its affiliates -- hackers who buy the group’s malware -- in a Thursday announcement that it had lost access to some infrastructure, including a blog and payment servers, according to Kimberly Goody, senior manager of financial criminal analysis at FireEye Inc.’s Mandiant. The group planned to close down and provide decrypters to companies that haven’t paid the ransom, she said.

“The post cited law enforcement pressure and pressure from the United States for this decision,” Goody said in a statement. Mandiant’s investigators haven’t been able to independently verify the claims.

The breach of Alpharetta, Georgia-based Colonial Pipeline forced the company to shut down operations last week, triggering fuel shortages in parts of the U.S. and focusing attention on ransomware, a type of cyberattack in which hackers encrypt a victim’s computers and demand a ransom to unlock them.

DarkSide’s site on the dark web wasn’t working as of Thursday, nor were other domains maintained by the group.

Some ransomware groups maintain pages on the dark web where they post stolen documents to pressure victims into paying or list the names of companies that have refused their demands. DarkSide’s site posted what appeared to be three new victims on its site as recently as May 12, as they continued to leak new data on the site for existing digital hostages.

Dark web researchers speculated that the outage could be DarkSide’s effort to duck law enforcement given the turmoil caused by the attack. “DarkSide is likely going to go quiet and rebrand itself, as we’ve observed with other dark net ransomware operators in the past when they became targets of law enforcement,” said Mark Turnage, co-founder of DarkOwl, a dark web and cyber research firm.

President Joe Biden said Russia has “some responsibility” to address the Colonial attack, saying “there’s evidence” the hackers or the software they used are “in Russia.” Cybersecurity experts have also cited the group’s use of the Russian language and the exclusion of Russian companies as hacking targets.

In a message posted after the Colonial attack, DarkSide hinted at contrition and that a “partner” might be to blame.

“We are apolitical. We do not participate in geopolitics,” the message said. “Our goal is to make money and not creating problems for society. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”

©2021 Bloomberg L.P.

BQ Install

Bloomberg Quint

Add BloombergQuint App to Home screen.