Since opening the DarkSide account in March, Elliptic had received $ 17.5 million from 21 Bitcoin wallets, indicating the number of ransom amounts it had raised as recently as this spring. Cybersecurity analysts estimate the group has been active for at least August and has most likely used a number of different Bitcoin wallets to get ransom money.
The intensive examination after the attack on the Colonial Pipeline clearly unsettled ransomware groups. This week, the operators of REvil and Avaddon, two major Russian-language ransomware platforms, announced tough new rules for the use of their products, including bans on targeting government-affiliated companies, hospitals or educational institutions.
The administrator of XSS, a popular Russian-language cybercrime forum, announced an immediate ban on all ransomware activity on the forum, citing, among other things, the bad press associated with the industry. In a statement posted on the forum, the administrator drew attention to a “critical mass of damage, nonsense, hype and noise” and said even the spokesman for President Vladimir V. Putin of Russia weighed the colonial whistle attack. (The spokesman, Dmitri S. Peskov, denied that the Kremlin was involved in the attack on the pipeline.)
“The word ransom is linked to a whole range of nasty things – geopolitics, extortion, government cyberattacks,” the XSS administrator wrote. “That word has become dangerous and poisonous.”
Even if DarkSide has shut down, the ransomware threat isn’t over. Cybercriminal networks are often disintegrating, regrouping, and renaming themselves to end law enforcement, cybersecurity experts say.
“It is likely that these ransomware operators are trying to get out of the spotlight more than suddenly discovering the flaw in their path,” said Mark Arena, CEO of Intel 471. “A number of operators will most likely continue to be tight on their own affiliated groups operate and reappear under various aliases and ransomware names. “
In fact, DarkSide made no indication that its members are getting out of the ransomware business or even unchecking victims currently infected with the group’s malware. In its statement, DarkSide said it would hand over its decryption tools to affiliates to enable those intermediaries responsible for infecting computer systems with the group’s malicious software to negotiate ransom directly with victims.
“You get decryption tools for any company that hasn’t paid,” the statement said. “After that, you can communicate with them wherever you want, however you want.”
Julian Barnes contributed to the coverage.