Cybercrime The Moral Underground? Ransomware Operators Retreat after Colonial Pipeline Hack

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,458
Quote : " The ransomware attack on Colonial Pipeline has caused a large amount of trouble in the United States. It looks as if that trouble has made its way back to the cybercrime underground. Intel 471 has observed numerous ransomware operators and cybercrime forums either claim their infrastructure has been taken offline, amending their rules, or they are abandoning ransomware altogether due to the large amount of negative attention directed their way over the past week.

On May 13, 2021, the operators of the DarkSide Ransomware-as-a-Service (RaaS) announced they would immediately cease operations of the DarkSide RaaS program. Operators said they would issue decryptors to all their affiliates for the targets they attacked, and promised to compensate all outstanding financial obligations by May 23, 2021. The group, which has been named as the one responsible for the Colonial Pipeline incident, also passed an announcement to its affiliates claiming a public portion of the group's infrastructure was disrupted by an unspecified law enforcement agency. The group’s name-and-shame blog, ransom collection website, and breach data content delivery network (CDN) were all allegedly seized, while funds from their cryptocurrency wallets allegedly were exfiltrated. Intel 471 obtained the announcement, which is available below. Translated in English, the note reads:

Starting from version one, we promised to speak about problems honestly and openly. A couple of hours ago, we lost access to the public part of our infrastructure, in particular to the
  • blog
  • payment server
  • CDN servers
At the moment, these servers cannot be accessed via SSH, and the hosting panels have been blocked. The hosting support service doesn't provide any information except "at the request of law enforcement authorities." In addition, a couple of hours after the seizure, funds from the payment server (belonging to us and our clients) were withdrawn to an unknown account. The following actions will be taken to solve the current issue: You will be given decryption tools for all the companies that haven't paid yet. After that, you will be free to communicate with them wherever you want in any way you want. Contact the support service. We will withdraw the deposit to resolve the issues with all the affected users. The approximate date of compensation is May 23 (due to the fact that the deposit is to be put on hold for 10 days on XSS). In view of the above and due to the pressure from the US, the affiliate program is closed. Stay safe and good luck. The landing page, servers, and other resources will be taken down within 48 hours.

DarkSide was not the only group to make this type of announcement on May 13. Another RaaS group, Babuk, claimed it handed over the ransomware’s source code to "another team," which would continue to develop it under a new brand. The group pledged to stay in business, continuing to run a victim name-and-shame blog, while also encouraging other ransomware gangs to switch to a private mode of operation. This announcement came after the group released the remaining portions of the data stolen from the District of Columbia’s Metropolitan Police Department. That archive, which contained 250 GB worth of data, allegedly included officers' and auxiliary personnel personal data, a database filled with information on criminals, as well as information on police informants.

While Babuk pledged to keep its operations running, it may find it difficult to find affiliates. Shortly after the above announcements, the administrator for one of the most popular Russian-language cybercrime forums announced an immediate ban of all ransomware-related activity on their forum. The forum now prohibits ransomware advertising, sales, ransom negotiation services and similar offers. Any listings that are currently on the forums will be deleted. The administrator explained the move by saying ransomware operations are becoming “more and more toxic” and dangerous for the underground community. That announcement caused a ripple effect on the forum, causing other well-known RaaS affiliates to make their own announcements regarding the status of their operations. One operator known to be behind the REvil ransomware program announced they would stop promoting their malware on the forum, deleting the forum thread where the service was advertised. The operator said REvil would continue operating on another well-known Russian-language cybercrime forum, but expected that forum would soon also ban all ransomware-related activity. If that is to occur, the operator said REvil would likely go fully private. "

Quote: " a strong caveat should be applied to these developments: it’s likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways. A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants. Additionally, the operators will have to find a new way to “wash” the cryptocurrency they earn from ransoms. Intel 471 has observed that BitMix, a popular cryptocurrency mixing service used by Avaddon, DarkSide and REvil has allegedly ceased operations. "

Full source :
 

The_King

Level 12
Verified
Top Poster
Well-known
Aug 2, 2020
542
while funds from their cryptocurrency wallets allegedly were exfiltrated
Even if law enforcement ceased your PC or server that contained your Crypto wallet file which is most likely heavily password protected and we are dealing with guys that are fanatical about encryption!

Unless it was just a sacrificial crypto account or they truly are scared and decided to go dark and leave it all.
 

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,458
They prob. make a comeback in some way, after giving it some time. Prob. most are addicted to this kind of life-style.
No doubt and the news started to report already last year on a extra nasty behavior, that will more then likely grow.

The success of double extortion throughout 2020, most notably since the outburst of the Covid-19 pandemic, is undeniable. While not all incidents – and their results – are disclosed and published, statistics collected during 2020-2021 reflect the prominence of the attack vector. The average ransom payment has increased by 171% in the last year, and is now approximately $310,000. Over 1,000 companies suffered data leakage after refusing to meet ransom demands in 2020, and about 40% of all newly discovered ransomware families incorporated data infiltration into their attack process. As the numbers reflect a golden attack technique, which combines both, a data breach and a ransomware threat, it is clear that attackers are still seeking methods to improve their ransom payment statistics, and their threat efficiency.

Prominent attacks that have taken place at the end of 2020 and the beginning of 2021 point at a new attack chain – essentially an expansion to the double extortion ransomware technique, integrating an additional, unique threat to the process – and we call this Triple Extortion. The first notable case is the Vastaamo clinic attack, which happened in October 2020. Innovative at the time, the 40,000-patient Finnish psychotherapy clinic suffered a yearlong breach that culminated in extensive patient data theft and a ransomware attack. A decent ransom was demanded from the healthcare provider, but surprisingly, smaller sums were also demanded from the patients, who had received the ransom demands individually by email. In those emails, the attackers threatened to publish their therapist session notes. This was the first attack of its kind within the ransomware attacks landscape.
On a wider scale, in February 2021 the REvil ransomware group announced that they had added two stages to their double extortion scheme – DDoS attacks and phone calls to the victim’s business partners and the media. The REvil ransomware group, responsible for the distribution of the Sodinokibi ransomware, operates in a ransomware-as-a-service business model. The group now offers DDoS attacks and voice-scrambled VoIP calls to journalists and colleagues as a free service for its affiliates, aimed at applying further pressure on the victim´s company to meet ransom demands within the designated timeframe.

It seems that even when riding the wave of success, threat groups are in constant quest for more innovative and more fruitful business models. We can only assume that creative thinking and a wise analysis of the complex scenario of double extortion ransomware attacks have led to the development of the third extortion technique. Third-party victims, such as company clients, external colleagues and service providers, are heavily influenced, and damaged by data breaches caused by these ransomware attacks, even if their network resources are not targeted directly. Whether further ransom is demanded from them or not, they are powerless in the face of such a threat, and have, a lot to lose should the incident take a wrong turn. Such victims are a natural target for extortion, and might be on the ransomware groups’ radar from now on.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top