The RaaS that crippled Colonial Pipeline lost the servers it uses to pull off ransomware attacks, while REvil’s gonads shrank in response.
Dark Side, the ransomware-as-a-server (RaaS) gang that crippled Colonial Pipeline Co. a week ago, extorted around $5m , & sent the fuel company a decryption tool that reportedly could barely work in unlocking files, has now been paralysed itself.
In the early hours of Fri. morning, Dark Side, following its own promise to “speak honestly & openly” about problems, ran through a list of them. A posting on an underground forum observed by Kaspersky in which researchers said that it had lost access to the public part of its infrastructure: Specifically, the servers for its blog, payment processing & denial-of-service (DoS) operations had been seized.
Dark Side did not specify the country in which those servers operated or whose law enforcement seized them.
Founders & Affiliates
“Since the 1st version, we have promised to speak honestly & openly about problems,” the gang wrote in an underground-forum post, saying that the money collected by the gang’s founders & affiliates was transferred to an unknown account.
“Now these servers are unavailable via SSH, the hosting panels are blocked,” Dark Side commented. “Hosting support, apart from information ‘at the request of law-enforcement agencies’, does not provide any other information.”
REvil Sweats Bullets
The Dark Side takedown sent shockwaves through other underground forums, many of which deleted all ransomware topics. As researchers observed, Dark Side’s fellow RaaS player, REvil, found itself forced to introduce its own new restrictions.
The REvil gang announced that its instituting pre-moderation for its partner network & said it would ban any attempt to attack any govt., public, educational, or healthcare organisations.
Significant New Restrictions
REvil’s backers commented on Dark Side’s experience, saying that it is “forced to introduce” these “significant new restrictions”:
- Work in the social sector (healthcare, educational institutions) is prohibited;
- It is forbidden to work on the gov-sector state of any country;
- Before the spacer, the target is agreed with the PP administration: Write the description of the target, its website, zoom info, etc., etc .;
Violators will be kicked out, REvil stated, referring to giving out “desh” for free. That is likely a reference to “deshirfrator,” or “decryptor” in Russian: The tools that typically are as far from free as ransomware attackers can make them. Ransomware actors promise to give their victims these tools in return for extortion money, which many organisations pay in the often-incorrect belief that they will be able to unlock their files.
REvil also outlined that it will likely delete all of its own ransomware topics from the underground forums & “go into private.” The group told its audience to “be a little more active,” & “contact in private messages.”
The RaaS Reformation
Dark Side itself launched this wave of RaaS back-peddling earlier this week, when the threat player explained that it was only after profit, & that it had no intention to cause political, economic, or social disruption.
They say: We were just after money, not the kneecapping of the nation’s infrastructure. We will vet our criminal customers better in the future, they promised, calling the Colonial Pipeline attack “a very big ‘oops.’”
It was indeed a very large issue, with ripples still spreading a week later. Colonial Pipeline, the supplier of about 45% of liquid fuel used in the South & Eastern US, proactively shut down its fuel-delivery operations following the ransomware attack a week ago.
They mostly stayed down for 5 days, only resuming on Wed. Gas shortages & price rises meanwhile are continuing.
US President Biden
This is not the 1st time that Dark Side has shown scruples. In Oct., it tried to send $20k in donations to charities in a “we’re actually the good guys” display that was likely intended to draw attention to future data dumps, as experts outlined at the time. It was an empty gesture: The charities – The Water Project & Children International – refused the money.
Before the Colonial Pipeline attack, Dark Side, like similar Robin Hood wannabes, already had an ethics code that prohibited attacks against hospitals, hospices, schools, universities, non-profit organisations & govt. agencies — similar to REvil’s new ‘ethics.’
Black Lives Matter
When the Babuk gang 1st emerged, it too described itself as a gang with morals. The Babuk operators also stated they wouldn’t attack hospitals, non-profits (unless they support LGBT or Black Lives Matter that is, presumably demonstrating their biases), small businesses (under $4m in annual revenue: Data they claimed to have gathered from ZoomInfo business-information service) & schools (except for universities).
All others were fair game, including plastic surgery & dental clinics (presumably demonstrating that the operators may have suffered from poor dentistry or botched tummy tucks), & major universities.
After Babuk attacked the Washington DC Metropolitan Police Department in April, Randy Pargman, a 15-year veteran of the FBI & current VP of Threat Hunting & Counter-Intelligence at Binary Defence & long-time Babuk tracker, explained that the operators behind the RaaS offering either truly don’t want to attack those entities, or they’re just putting on a public face, telling the world that hey, we’re not all that bad.
Just because a ransomware outfit has a code of ethics does not mean that all of its affiliates follow it, though. Early on in the pandemic, several ransomware gangs pledged to spare hospitals because of the ongoing COVID-19 scourge.
The Maze & Doppel Paymer groups, for instance, stated they would not target medical facilities &, if accidentally hit, would provide the decryption keys at no charge. The Netwalker operators, meanwhile, also claimed they would not target hospitals. However, if accidentally hit, the hospital would still have to pay the ransom.
Those promises haven’t been kept: Cyber-criminals haven’t exempted medical professionals, hospitals or healthcare orgs on the frontlines of the coronavirus pandemic when it comes to cyber-attacks, including ransomware & other malware, & there’s little reason to believe that REvil’s new code of ethics will be any different.
Some groups make no pretence of ethics In Sept., employees at Universal Health Services (UHS), a Fortune-500 owner of a nationwide network of hospitals, reported widespread outages that resulted in delayed lab results, a fallback to pen & paper, & patients being diverted to other hospitals.
The culprit turned out to be the Ryuk ransomware, which locked up hospital systems for days. That group has never made any attempt at demonstrating a conscience.