- Jul 27, 2015
- 5,458
Quote : " The ransomware attack on Colonial Pipeline has caused a large amount of trouble in the United States. It looks as if that trouble has made its way back to the cybercrime underground. Intel 471 has observed numerous ransomware operators and cybercrime forums either claim their infrastructure has been taken offline, amending their rules, or they are abandoning ransomware altogether due to the large amount of negative attention directed their way over the past week.
On May 13, 2021, the operators of the DarkSide Ransomware-as-a-Service (RaaS) announced they would immediately cease operations of the DarkSide RaaS program. Operators said they would issue decryptors to all their affiliates for the targets they attacked, and promised to compensate all outstanding financial obligations by May 23, 2021. The group, which has been named as the one responsible for the Colonial Pipeline incident, also passed an announcement to its affiliates claiming a public portion of the group's infrastructure was disrupted by an unspecified law enforcement agency. The group’s name-and-shame blog, ransom collection website, and breach data content delivery network (CDN) were all allegedly seized, while funds from their cryptocurrency wallets allegedly were exfiltrated. Intel 471 obtained the announcement, which is available below. Translated in English, the note reads:
Starting from version one, we promised to speak about problems honestly and openly. A couple of hours ago, we lost access to the public part of our infrastructure, in particular to the
DarkSide was not the only group to make this type of announcement on May 13. Another RaaS group, Babuk, claimed it handed over the ransomware’s source code to "another team," which would continue to develop it under a new brand. The group pledged to stay in business, continuing to run a victim name-and-shame blog, while also encouraging other ransomware gangs to switch to a private mode of operation. This announcement came after the group released the remaining portions of the data stolen from the District of Columbia’s Metropolitan Police Department. That archive, which contained 250 GB worth of data, allegedly included officers' and auxiliary personnel personal data, a database filled with information on criminals, as well as information on police informants.
While Babuk pledged to keep its operations running, it may find it difficult to find affiliates. Shortly after the above announcements, the administrator for one of the most popular Russian-language cybercrime forums announced an immediate ban of all ransomware-related activity on their forum. The forum now prohibits ransomware advertising, sales, ransom negotiation services and similar offers. Any listings that are currently on the forums will be deleted. The administrator explained the move by saying ransomware operations are becoming “more and more toxic” and dangerous for the underground community. That announcement caused a ripple effect on the forum, causing other well-known RaaS affiliates to make their own announcements regarding the status of their operations. One operator known to be behind the REvil ransomware program announced they would stop promoting their malware on the forum, deleting the forum thread where the service was advertised. The operator said REvil would continue operating on another well-known Russian-language cybercrime forum, but expected that forum would soon also ban all ransomware-related activity. If that is to occur, the operator said REvil would likely go fully private. "
Quote: " a strong caveat should be applied to these developments: it’s likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways. A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants. Additionally, the operators will have to find a new way to “wash” the cryptocurrency they earn from ransoms. Intel 471 has observed that BitMix, a popular cryptocurrency mixing service used by Avaddon, DarkSide and REvil has allegedly ceased operations. "
Full source :
www.intel471.com
On May 13, 2021, the operators of the DarkSide Ransomware-as-a-Service (RaaS) announced they would immediately cease operations of the DarkSide RaaS program. Operators said they would issue decryptors to all their affiliates for the targets they attacked, and promised to compensate all outstanding financial obligations by May 23, 2021. The group, which has been named as the one responsible for the Colonial Pipeline incident, also passed an announcement to its affiliates claiming a public portion of the group's infrastructure was disrupted by an unspecified law enforcement agency. The group’s name-and-shame blog, ransom collection website, and breach data content delivery network (CDN) were all allegedly seized, while funds from their cryptocurrency wallets allegedly were exfiltrated. Intel 471 obtained the announcement, which is available below. Translated in English, the note reads:
Starting from version one, we promised to speak about problems honestly and openly. A couple of hours ago, we lost access to the public part of our infrastructure, in particular to the
- blog
- payment server
- CDN servers
DarkSide was not the only group to make this type of announcement on May 13. Another RaaS group, Babuk, claimed it handed over the ransomware’s source code to "another team," which would continue to develop it under a new brand. The group pledged to stay in business, continuing to run a victim name-and-shame blog, while also encouraging other ransomware gangs to switch to a private mode of operation. This announcement came after the group released the remaining portions of the data stolen from the District of Columbia’s Metropolitan Police Department. That archive, which contained 250 GB worth of data, allegedly included officers' and auxiliary personnel personal data, a database filled with information on criminals, as well as information on police informants.
While Babuk pledged to keep its operations running, it may find it difficult to find affiliates. Shortly after the above announcements, the administrator for one of the most popular Russian-language cybercrime forums announced an immediate ban of all ransomware-related activity on their forum. The forum now prohibits ransomware advertising, sales, ransom negotiation services and similar offers. Any listings that are currently on the forums will be deleted. The administrator explained the move by saying ransomware operations are becoming “more and more toxic” and dangerous for the underground community. That announcement caused a ripple effect on the forum, causing other well-known RaaS affiliates to make their own announcements regarding the status of their operations. One operator known to be behind the REvil ransomware program announced they would stop promoting their malware on the forum, deleting the forum thread where the service was advertised. The operator said REvil would continue operating on another well-known Russian-language cybercrime forum, but expected that forum would soon also ban all ransomware-related activity. If that is to occur, the operator said REvil would likely go fully private. "
Quote: " a strong caveat should be applied to these developments: it’s likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways. A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants. Additionally, the operators will have to find a new way to “wash” the cryptocurrency they earn from ransoms. Intel 471 has observed that BitMix, a popular cryptocurrency mixing service used by Avaddon, DarkSide and REvil has allegedly ceased operations. "
Full source :
The moral underground? Ransomware operators retreat… | Intel471.com
Several ransomware operators have claimed to change their business and forums have banned advertisements in response to the Colonial pipeline hack.
www.intel471.com
