DarkSide, which operates ransomware as a service, announced Thursday they were stopping operations.
In an announcement in Russian, the group said they lost access to part of its infrastructure, along with some of their financial assets, after an apparent raid by law enforcement authorities.
Affiliates that use DarkSide’s ransomware were told they will be given tools so victims can regain access to data that attackers held hostage in return for payment.
The attack on Colonial Pipeline earlier this month prompted the Georgia-based company to shut down certain parts of its network. That led to a major U.S. pipeline going offline, which in turn led directly and indirectly to gas shortages and rising prices at the pump.
Reports suggested Colonial paid millions of dollars to get a tool to regain access to system parts the hackers invaded, but the company has declined to confirm that publicly, as has the U.S. government.
The FBI this week said the DarkSide ring was responsible for the compromise of Colonial networks. DarkSide appeared to acknowledge that much in an earlier statement, saying they are apolitical with the goal of making money and not creating problems for society.
“From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future,” it said.
Security researchers expressed skepticism of DarkSide’s new announcement.
Robert Lee, co-founder and CEO of Dragos, said on Twitter that the move “is almost certainly a rebranding attempt to avoid the heat.”
DarkSide and another ransomware group, Babuk, which said it was shifting operations on Thursday after taking credit for obtaining and leaking information from Washington’s police department, took the actions in reaction to “the high-profile ransomware attacks covered by the media this week,” Intel 471 said.
“However, a strong caveat should be applied to these developments: it’s likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways. A number of the operators will most likely operate in their own closed-knit groups, resurfacing under new names and updated ransomware variants,” it added.
President Joe Biden told reporters earlier Thursday that the U.S. government has “strong reason” to believe the Colonial hackers were based in Russia but were not backed by the Russian government.
“We have been in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks,” he said. “We’re also going to pursue a measure to disrupt their ability to operate. And our Justice Department has launched a new task force dedicated to prosecuting ransomware hackers to the full extent of the law.”
