The RaaS that crippled Colonial Pipeline lost the servers it uses to pull off ransomware attacks, while REvil’s gonads shrank in response.
DarkSide, the ransomware-as-a-server (RaaS) gang that crippled Colonial Pipeline Co. a week ago, extorted around $5 million, and sent the fuel company a decryption tool that reportedly could barely limp through the process of unlocking files, has now been paralyzed itself.
In the wee hours of Friday morning, DarkSide, following its own promise to “speak honestly and openly” about problems, ran through a laundry list of them. In a posting on an underground forum observed by Kaspersky researchers and shared with Threatpost, it said that it had lost access to the public part of its infrastructure: Specifically, the servers for its blog, payment processing and denial-of-service (DoS) operations had been seized.
DarkSide didn’t specify the country in which those servers operated or whose law enforcement seized them.
“Since the first version, we have promised to speak honestly and openly about problems,” the gang wrote in an underground-forum post, saying that the money collected by the gang’s founders and affiliates was transferred to an unknown account.
“Now these servers are unavailable via SSH, the hosting panels are blocked,” DarkSide said. “Hosting support, apart from information ‘at the request of law-enforcement agencies’, does not provide any other information.”
REvil Sweats Bullets
The DarkSide takedown sent shockwaves through other underground forums, many of which deleted all ransomware topics. As researchers observed, DarkSide’s fellow RaaS player, REvil, found itself forced to introduce its own new restrictions.
The REvil gang announced that it’s instituting pre-moderation for its partner network, and said it would ban any attempt to attack any government, public, educational or healthcare organizations.
REvil’s backers commented on DarkSide’s experience, saying that it’s “forced to introduce” these “significant new restrictions”:
- Work in the social sector (healthcare, educational institutions) is prohibited;
- It is forbidden to work on the gov-sector (state) of any country;
- Before the spacer, the target is agreed with the PP administration: Write the description of the target, its website, zoom info, etc., etc .;
Violators will be kicked out, REvil said, referring to giving out “desh” for free. That’s likely a reference to “deshirfrator,” or “decryptor” in Russian: The tools that typically are as far from free as ransomware attackers can make them. Ransomware actors promise to give their victims these tools in return for extortion money, which many organizations fork over in the often futile belief that they’ll be able to unlock their files.
REvil also said that it will likely delete all of its own ransomware topics from the underground forums and “go into private.” The group told its audience to “be a little more active,” and “contact in [private messages].”
What Is This, the RaaS Reformation?
DarkSide itself launched this wave of RaaS back-peddling earlier this week, when the threat actor said that it was only after profit, and that it had no intention to cause political, economic or social disruption. Our bad, they said: We were just after moolah, not the kneecapping of the nation’s infrastructure. We’ll vet our criminal customers better in the future, they promised, calling the Colonial Pipeline attack “a very big ‘oops.’”
It was indeed a very big oops, with ripples still spreading a week later. Colonial Pipeline, the supplier of about 45 percent of liquid fuel used in the South and Eastern U.S., proactively shut down its fuel-delivery operations following the ransomware attack a week ago. They pretty much stayed down for five days, only sputtering back to life on Wednesday. Gas shortages and price spikes meanwhile are continuing.
Also on Wednesday, President Biden signed an executive order aimed at bolstering the federal government’s cyber-defenses. As it is, the administration is juggling a number of digital attacks, including SolarWinds.
At any rate, this isn’t the first time that DarkSide has contracted a case of scruples. In October, it tried to send $20,000 in donations to charities in a “we’re actually the good guys” display that was likely intended to draw attention to future data dumps, as experts said at the time. It was an empty gesture: The charities – The Water Project and Children International – refused the money.
And, before the Colonial Pipeline attack, DarkSide, like similar Robin Hood wannabes, already had an ethics code that prohibited attacks against hospitals, hospices, schools, universities, non-profit organizations and government agencies — similar to REvil’s new veil of ethics.
When the Babuk gang first crawled out of the muck, it too portrayed itself as a gang with morals. The Babuk operators also said they wouldn’t attack hospitals, nonprofits (unless they support LGBT or Black Lives Matter that is, presumably demonstrating their biases), small businesses (under $4 million in annual revenue: Data they claimed to have gathered from ZoomInfo business-information service) and schools (except for universities). Everybody else was fair game, including plastic surgery and dental clinics (presumably demonstrating that the operators may have suffered from poor dentistry or botched tummy tucks), and major universities.
After Babuk attacked the Washington D.C. Metropolitan Police Department in April, Randy Pargman, a 15-year veteran of the FBI and current vice president of threat hunting and counterintelligence at Binary Defense and long-time Babuk tracker, told Threatpost that the operators behind the RaaS offering either truly don’t want to attack those entities, or they’re just putting on a public face, telling the world that hey, we’re not all that bad.
Just because a ransomware outfit has a code of ethics doesn’t mean that all of its affiliates follow it, though. Early on in the pandemic, several ransomware gangs pledged to spare hospitals because of the ongoing COVID-19 scourge. The Maze and DoppelPaymer groups, for instance, said they would not target medical facilities and, if accidentally hit, would provide the decryption keys at no charge. The Netwalker operators, meanwhile, also said they would not target hospitals. However, if accidentally hit, the hospital would still have to pay the ransom.
Those promises haven’t been kept: Cybercriminals haven’t exempted medical professionals, hospitals or healthcare orgs on the frontlines of the coronavirus pandemic when it comes to cyberattacks, including ransomware and other malware, and there’s little reason to believe that REvil’s new code of ethics will be any different.
Some groups make no pretense at having even a veneer of honor: In September, employees at Universal Health Services (UHS), a Fortune-500 owner of a nationwide network of hospitals, reported widespread outages that resulted in delayed lab results, a fallback to pen and paper, and patients being diverted to other hospitals. The culprit turned out to be the Ryuk ransomware, which locked up hospital systems for days. That group has never made any attempt at demonstrating a conscience.
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!