Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security

Darkside Ransomware Gang Says It Lost Control of Its Servers, Money a Day After Biden Threat (therecord.media) 139

A day after US President Joe Biden said the US plans to disrupt the hackers behind the Colonial Pipeline cyberattack, the operator of the Darkside ransomware said the group lost control of its web servers and some of the funds it made from ransom payments. From a report: "A few hours ago, we lost access to the public part of our infrastructure, namely: Blog. Payment server. CDN servers," said Darksupp, the operator of the Darkside ransomware, in a post spotted by Recorded Future threat intelligence analyst Dmitry Smilyanets. "Now these servers are unavailable via SSH, and the hosting panels are blocked," said the Darkside operator while also complaining that the web hosting provider refused to cooperate. In addition, the Darkside operator also reported that cryptocurrency funds were also withdrawn from the gang's payment server, which was hosting ransom payments made by victims. The funds, which the Darkside gang was supposed to split between itself and its affiliates (the threat actors who breach networks and deploy the ransomware), were transferred to an unknown wallet, Darksupp said. This sudden development comes after US authorities announced their intention to go after the gang.
This discussion has been archived. No new comments can be posted.

Darkside Ransomware Gang Says It Lost Control of Its Servers, Money a Day After Biden Threat

Comments Filter:
  • OK (Score:3, Insightful)

    by war4peace ( 1628283 ) on Friday May 14, 2021 @01:46PM (#61384888)

    So what's going to happen with those funds, if the USA government snatched them? Will they go back to whoever paid them (in this case, Colonial Pipeline), or does the government keep it?

    • Re:OK (Score:5, Interesting)

      by grub ( 11606 ) <slashdot@grub.net> on Friday May 14, 2021 @01:51PM (#61384906) Homepage Journal
      I'm betting it is an exit scam to avoid paying their criminal affiliates.
      • Re:OK (Score:5, Interesting)

        by fahrbot-bot ( 874524 ) on Friday May 14, 2021 @01:58PM (#61384938)

        I'm betting it is an exit scam to avoid paying their criminal affiliates.

        Or just someone in the gang, who had the passwords, got greedy, took the money and locked everything up to make it look like a takedown. Basically what you said, but more specific... Either way, won't the record in the crypto wallet show who withdrew the funds?

        • Re:OK (Score:5, Informative)

          by grub ( 11606 ) <slashdot@grub.net> on Friday May 14, 2021 @02:11PM (#61384990) Homepage Journal
          No, the ledger will only show where it was sent to. If this crypto gets laundered through Monero or Zcash (or other anonymizing crypto), then that pretty much proves it wasn't the feds.
          • No, the ledger will only show where it was sent to. If this crypto gets laundered through Monero or Zcash (or other anonymizing crypto), then that pretty much proves it wasn't the feds.

            You're saying the Feds couldn't do that too?

          • Even if it gets laundered, it's gotta come out somewhere. The intelligence agencies are professionals at following money. If a random Russian housewife suddenly controls an account worth a few billion Rubles (millions USD), that's going to get noticed. Right now, any sudden changes of wealth is putting a bullseye on that person's forehead.

      • Re:OK (Score:4, Interesting)

        by timeOday ( 582209 ) on Friday May 14, 2021 @01:59PM (#61384940)
        I wouldn't be so sure? Kidnapping somebody is easier than successfully collecting the ransom and making a clean getaway. This is going to be a very good test of how untraceable any of this stuff really is.
        • Especially since the various cryptocurrencies are designed to resist law enforcement tracing.

        • I wouldn't be so sure? Kidnapping somebody is easier than successfully collecting the ransom and making a clean getaway. This is going to be a very good test of how untraceable any of this stuff really is.

          "Pop quiz, Hot Shot...."

      • That sounds like solid plan to get yourself murdered in Russia.

        • That sounds like solid plan to get yourself murdered in Russia.

          There are easier ways... just say something mean about Putin -- bonus points if it's also true -- or run against him in an election.

      • That was my reaction as well. It's standard practice for Russian malware operators to shut down like this, not even to avoid paying affiliates but just to start again with a clean slate somewhere else. Declare defeat, move the funds somewhere untouchable, and come back a week later under a new identity.
    • Colonial never paid. Also in question is if these are ransom payments or payments for the malware. Darkside claims to sell the ransomware to third parties. They tried to appease by saying high profile targets are never their intent and they would do a better job vetting their 3rd parties to ensure the targets are low profile. That seems to indicate that Darkside is not collecting ransoms but selling illegal software. In which case the US will use asset forfeiture to keep the funds.
      • by edis ( 266347 )

        Colonial never paid.

        This contradicts reports they did, and have received tool to recover their assets, albeit this was slow process.
        https://it.slashdot.org/story/... [slashdot.org]

        • Re: OK (Score:5, Informative)

          by e3m4n ( 947977 ) on Friday May 14, 2021 @02:15PM (#61385006)
          https://www.reuters.com/busine... [reuters.com]
          Is it possible that the government fronted the money and found a way to trace the bitcoin back to the servers? Ive heard of things like that for kidnappings using regular money, to organize a sting operation. Everything a couple days ago was pointing straight to them rather reinstalling everything from old backups than pay a terrorist.
          • Re: (Score:2, Funny)

            by Anonymous Coward
            Yep.. that's how it works. Embed code in the bitcoin hash, same method to deploy as a .jpg attack except you use an exploit that was embedded in the Crypto Wallet Manager. It's one way to take down the dark underworld.
        • Re: (Score:2, Interesting)

          Some insiders are saying fedgov paid and the amount was much, much higher than publicly disclosed.

          If true, that would be sufficient reason to fold up shop and retire.

      • by nomadic ( 141991 )

        "They tried to appease by saying high profile targets are never their intent and they would do a better job vetting their 3rd parties to ensure the targets are low profille"

        Never quite understood this; did they think people were going to say "oh, alright then, carry on?"

        • by e3m4n ( 947977 )
          Apparently. A show of faith would have been "this 3rd party violated our terms of contract. Here are the keys to decrypt the servers. We have ended all ties with this 3rd party" ... their statement fell well flat of that, hence the retribution they got. If this was a Mob of Mafia operation, the idiot that brought federal eyes on the deal would already have a bullet in his head.
        • Pretty much. If you pick on smaller targets with little political influence and relevance, the government won't devote resource to catching you. It's been working fine so far.
    • So what's going to happen with those funds, if the USA government snatched them?

      Probably will fund CIA black ops.

    • You're assuming they're telling the truth. These are criminals who know that they now have to scatter after drawing far too much attention to themselves. There's a number of possibilities for what happened:

      1. The group is lying, hoping that this story will get law enforcement off their backs
      2. Some other hacking group stole the money and hacked the servers
      3. A law enforcement agency seized the money and hacked the servers
      4. Some members of the group stole the money (no honor among thieves)
      5. The NSA hacked
  • by fahrbot-bot ( 874524 ) on Friday May 14, 2021 @01:54PM (#61384924)

    Someone send them a ransom demand ...

  • Take everything they have and let them rot in prison for life.

    It's about time some of these fuckers got their due.

  • Take every bit of money they have stolen and invest it toward reducing the national debt. The fact that people pay ransomware is directly connected to the existence of ransomware and therefore they should not receive a dime.

  • So either the NSA "TAO" finally took an interest or some other criminals stole the money. Great show, would watch again!

    Of course, I still think a company providing a critical service with IT security this bad should have all its C-Level executives stripped of personal fortune and jailed for a few years. The scum breaking in is one thing, but the scum not making breaking in hard when they had tons of money they could have thrown at the problem are known by name and deserve a lot of pain coming their way.

    • There's a lot more possibilities than that. It could also be the Russian authorities deciding they need to make an example to show some due diligence, even though most of these guys are probably employed by the GRU or some other 3 letter agency.
      • by gweihir ( 88907 )

        There's a lot more possibilities than that. It could also be the Russian authorities deciding they need to make an example to show some due diligence, even though most of these guys are probably employed by the GRU or some other 3 letter agency.

        That I would count under "some other criminal gang".

    • Great show, would watch again!

      I loved it! It was much better than Cats. I am going to see it again and again.

  • And we've lost sight of them in this area. Let's say it's Russia, and Russia were to actively support saboteurs that did physical damage that stopped the pipeline for a week. You know what that would be?

    A legitimate casus belli. Taking the pipeline out by accidentally destroying internet-exposed equipment a la the Stuxnet attack would be the sort of thing that would justify Biden sending in half a dozen B2s deep into Russian airspace and carpet bombing all of their pipelines going to ports and Europe.

    My gue

    • If that was the case then Russia would have been bombing us back in 1982. [risidata.com]

    • by vinn01 ( 178295 )

      A military advisor said: "Cyber attacks can be acts of war if they cause physical destruction. The US Department of Defense law of war manual states that some cyber operations should be subject to the same rules as physical, or “kinetic” attacks".

      In this case, the pipeline operator chose to shut it down because the billing system was hacked. The pipeline has no physical damage. I would suggest that we change the law of war manual, because there can be a heck of a lot of economic damage without

      • Couldn't Star Wars (Reagan cold war program) constitute "economic damage" as applied to the USSR?

  • Even though the payment was made through a decentralized infrastructure, ultimately, it terminates at a single choke point and somehow the authorities took over that system.

  • The solution to ransomware is to change the risk/reward ratio. Right now there is far too much reward for very little risk.

    In American history there have been other gangs of thieves; cattle rustlers, horse thieves, pirates, etc. When the risk/reward ratio changed, by harsh punishment such as hanging, the thievery ended.

    • by dmay34 ( 6770232 )

      Have the Air Force make them a visit.

      • You realise that would not be the end of it. It wouldn't even be the end of the beginning. It would only be the beginning of the beginning.

        • by dmay34 ( 6770232 )

          It would escalate it. But hackers are slowly escalating their war as it is. It is one thing to take down a pet store, it's another to take down critical infrastructure. There has to be a line somewhere.

          The criminal nerds need to understand that there are serious consequences for crossing the line.

  • > the Darkside operator also reported that cryptocurrency funds were also withdrawn from the gang's payment server, which was hosting ransom payments made by victims

    Hosting ransom payments!? Are they not using a cold wallet which makes it effectively unidirectional - ie deposit only! The ONLY people taking payments out of a cold wallet are the owners.

  • That sound in the distance means all of your servers are about to go down.

    • I think a nice, anonymous KEW would be just the thing. We can even call it a present!

      That does require finding their physical location. But, hey with the cold war gone, what else are the spies supposed to do?
      We can't have all them spies unemployed. Or worse, selling their skills to the highest bidder. Have them hunt down this a-holes and send in the KEWs!

      And if that location happens to be a place we don't like, make the KEWs out of depleted uranium. Have to get rid of the stuff somehow.


      KEW = Kinetic
  • Thank you, NSA.

    • And hopefully a sequel from the CIA. If hackers start experiencing a whole bunch of "accidents" then maybe they'll choose a profession of less "clumsy" people. And after that, the CIA can turn their attention to Indian call centers.
  • That might help in keeping the politicians from nagging the cyber security forces every day to do something. What next? "Oh no, we were vax deniers who never wore masks and are now dying from COVID-19, woe is us, you win!".
  • Don't think I need to explain what I mean by this, do I?
  • now, if we could just blow these sumbitches out of the water when we first start seeing the C&C traffic starting up....

  • The funds, which the Darkside gang was supposed to split between itself and its affiliates (the threat actors who breach networks and deploy the ransomware), were transferred to an unknown wallet,

    Which is it? I'm guessing #1

    1) Gang members absconded with the funds

    2) Someone inside the gang who knew the password double-crossed them

    3) There's a way to steal currency out of a wallet

    4) The hackers were hacked

  • Don't piss off rich people. They can afford more hackers.

  • To discover that there are criminals with access to their servers!
  • re: ...complaining that the web hosting provider refused to cooperate

    Good! Too bad for you. Kudos to the hosting provider, whoever they are.

  • Cryptocurrencies should have the option to bork people who get paid for ransomware attacks.

Keep up the good work! But please don't ask me to help.

Working...