DarkSide RaaS Shut Down and Ransomware Gangs Ban Attacks on Healthcare Organizations

The DarkSide ransomware gang has notified its affiliates that it has shut down its ransomware-as-a-service (RaaS) operation. The announcement came after the group’s public infrastructure was taken offline in what appears to be a law enforcement operation.

On May 13, the DarkSide data leak site went offline along with much of the group’s public infrastructure, including the payment server used to obtain ransom payments from victims and its breach data content delivery network. The gang also said its cryptocurrency wallets had been emptied and the funds transferred to an unknown account.

Intel 471 obtained a copy of a note written by the gang explaining to its affiliates that part of its public infrastructure was lost, its servers could not be accessed via SSH, and its hosting panels had been blocked. The group said its hosting company did not provide any further information other than the loss of the servers was “at the request of law enforcement.”

The group explained that it will be releasing the decryptors for all companies that have been attacked but have not paid the ransom; however, those decryptors are being released to the affiliates who conducted the attacks, not to the attacked companies. It will be up to individual affiliates whether to provide them to their victims or attempt to obtain payment.

“In view of the [loss of servers] and due to the pressure from the US, the affiliate program is closed. Stay safe and good luck,” wrote the gang.

The same day that the group’s infrastructure was taken down, President Biden held a press conference about the Colonial Pipeline ransomware attack explaining the efforts made by the government to limit disruption and promising action would be taken against the DarkSide ransomware gang.

“We don’t believe the Russian government was involved in this attack,” said President Biden. “We do have strong reason to believe that the criminals who did the attack are living in Russia.” Biden went on to say that the United States was “in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks” and that the U.S. would “pursue a measure to disrupt their ability to operate.” President Biden also confirmed that the U.S. Department of Justice has launched a new task force dedicated to prosecuting ransomware hackers to the full extent of the law.

Prior to the shutdown, the hacking community had started to shun the DarkSide group. One of the two top-tier dark web forums used by the DarkSide gang to advertise its RaaS operation deleted the DarkSide account along with two threads about its ransomware operation, according to Gemini Advisory. Gemini Advisory also claims to have heard from several credible sources that the group no longer has a presence on the dark web. One top-tier dark web forum often used by ransomware gangs has also imposed sanctions on ransomware operations and has banned them entirely from the forum, claiming ransomware has become too toxic.

Intel 471 reports that it is not only the DarkSide operation that has been shut down. Several other ransomware operations have halted their operations, although it is unclear whether this is a permanent shut down or if the ransomware gangs are simply laying low and will start up their operations again under a different name. The Babuk ransomware operators claim to have provided their source code to another team and are pulling out of ransomware attacks. They said their ransomware will be operated by a different group under a different name.

The REvil ransomware gang, one of the most prolific ransomware operations, has also announced that it will no longer be promoting its ransomware operation on dark web forums and expects to make its operation private. Both REvil and Avaddon have taken the decision to stop their affiliates from attacking companies in certain sectors. Both ransomware gangs released statements confirming new rules have been introduced for affiliates that prohibit them from conducting attacks on the government, healthcare, charities, and educational institutions in any country. They also require their affiliates to obtain approval from the group before any attack. Should any affiliate attack a prohibited target, the victim will be provided with the decryptor free of charge and the affiliate will be permanently kicked out of the RaaS program.

Intel 471 also reports that the cryptocurrency mixing service, BitMix, which was used by REvil and Avaddon to launder the cryptocurrency generated from ransomware attacks has also been shut down.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.