Black eat Black? Or afraid? Cyber Ransom Group Darkside’s Dark Web Servers Shut Down

The DarkSide group involved in the attacks has told other hackers that it shut down under law enforcement pressure. Darkside, which only surfaced late last year, was behind the attack on Colonial Pipeline, which was forced to shut down its network that delivered gasoline, diesel and jet fuel across much of the eastern half of the United States, triggering fuel shortages in parts of the country. Some evidence links DarkSide's actions to Russia and other Eastern European countries.

Kimberly Goody, senior manager of financial crime analysis at Mandiant, a unit of U.S. cybersecurity firm FireEye, said multiple hackers cited a May 13 announcement shared with DarkSide affiliates that the organization had lost access to its blog and payment servers and was shutting them down.

Dmitry Smilyanets, a threat intelligence analyst at U.S. cybersecurity firm Recorded Future, said he found a Russian-language message from "Darksupp" on the ransomware site. The comment reads, "For a few hours," he said. A few hours ago, we were unable to access public parts of our infrastructure, namely blogs, payment servers and CDN servers," the comment reads. "Darksupp" is described as the operator of "DarkSide". At the same time, the "DarkSide" URL on the Dark Web is no longer accessible through TOR, and a notice is displayed saying it cannot be found. "According to Recorded Future, the operator of "DarkSide" also said its cryptocurrency ransom had been taken from its servers.

Another blog post, published by cybercrime intelligence firm Intel471, said DarkSide said in a message to its ransomware business partners on Thursday that "in light of the above and pressure from the United States, member programs are being shut down. Stay safe and good luck.

Kimberly Goody said there has been no independent confirmation of the claims, and there has been some speculation among others that this could be an exit scam. But some security experts warn that the organization may simply be trying to take the money and flee, disappearing from public view.

Speculation is now centered on who shut down DarkSide's servers. Some suspect it was the U.S. military's Cyber Command. This is because the 780th Military Intelligence Brigade retweeted the "Recorded Future" report on Twitter shortly after it came out. When asked at a congressional hearing on Friday whether he would take action against the "dark side," Cyber Command Commander Paul Nakasone said he would not discuss the department's actions.

In addition, moderators of XSS, a Russian-language forum popular among cybercriminals, said in a post that they would remove all references to ransomware, according to a study by Digital Shadows, a digital risk protection firm. Two other ransomware groups, Avaddon and Sodinokibi, said in another forum that they would limit the content hackers could attack using their services. Avaddon said it will no longer allow attacks against medical organizations, public education or charities, according to a report by Digital Shadows.

DarkSide has at least eight domains or websites on the dark web. One was a public-facing site used by DarkSide and its hired hackers to shame victims who ignored or refused the group's ransom demands, and the other seven were used by the group to host the data they stole. Four of those seven domains were also taken down, and three others were loading blank white pages, one of which simply read, "Darkside CDN." CDN stands for content delivery network.

Dark Web researchers speculate that the shutdown of the sites may have been an effort by DarkSide to evade law enforcement, given the international sensation the attack created.

Mark Turnage, co-founder of DarkOwl, a dark web and cyber research firm, said, "DarkSide will likely quiet down and reinvent itself, as we have observed in the past with other dark web ransomware operators who have temporarily ceased operations when they become targets of law enforcement. "

"We are apolitical. We don't engage in geopolitics," DarkSide said, "Our goal is to make money, not to create problems for society. From today, we introduce moderation and check our partners, every company that wants to encrypt, in order to avoid future social consequences."

DarkSide's dark web sites are.
http://darksidedxcftmqa.onion
http://darksidfqzcuhtk2.onion