The criminal hacking group DarkSide, which the F.B.I. has blamed for carrying out a ransomware attack that crippled fuel delivery across the Southeastern United States this week, has announced that it is shutting down because of unspecified \u201cpressure\u201d from the United States.<\/p>\n
In a statement written in Russian and provided to The New York Times on Friday by the cybersecurity firm Intel 471, DarkSide said it had lost access to the public-facing portion of its online system, including its blog and payment server, as well as funds that it said had been withdrawn to an unknown account. It said the group\u2019s main web page and other public-facing resources would go offline within 48 hours.<\/p>\n
\u201cDue to the pressure from the U.S., the affiliate program is closed,\u201d the statement said, referring to intermediary hackers, the so-called affiliates, it works with to break into corporate computer systems. \u201cStay safe and good luck.\u201d<\/p>\n
What that pressure may have been is unclear, but on Thursday, President Biden said the United States would not rule out a retaliatory strike against DarkSide that would \u201cdisrupt their ability to operate.\u201d The White House spokeswoman, Jen Psaki, said the administration was waiting for recommendations from U.S. Cyber Command, but government officials on Friday declined to comment further about whether any action had been taken.<\/p>\n
Cybersecurity analysts cautioned that the DarkSide statement could be a ruse, allowing its members to regroup and deflect the negative attention caused by the attack. The group\u2019s announcement was reported earlier by The Wall Street Journal.<\/p>\n
The crisis began when Colonial Pipeline, the operator of one of the nation\u2019s largest fuel pipelines, announced on May 7 that it had been hit with a ransomware attack, in which criminal groups lock up computer systems and hold data hostage until the victim pays a ransom. In response, the company protectively shut down its pipeline, which delivers nearly half of the jet fuel and gasoline used on the Atlantic Coast, disrupting air travel and causing drivers to descend on gas stations in a surge of panic buying.<\/p>\n
To free up its computer systems, Colonial Pipeline paid the extortionists about 75 Bitcoin, or nearly $5 million, according to people briefed on the transaction. The decision allowed the company to get gas flowing again, but may have complicated the Biden administration\u2019s efforts to stave off new attacks.<\/p>\n
In a statement on Friday, a Colonial spokeswoman said, \u201cThere is an ongoing investigation, and we\u2019re not commenting on the ransom.\u201d<\/p>\n
Elliptic, a computer security company specializing in cryptocurrency, said on Friday that it had identified the Bitcoin wallet used by DarkSide to collect the Colonial Pipeline ransom payment. In a statement, Elliptic said Colonial Pipeline sent the ransom payment to DarkSide last Saturday.<\/p>\n
Since the DarkSide account was opened in March, Elliptic said, it had received $17.5 million from 21 Bitcoin wallets, indicating the number of ransoms it had collected just this spring. Cybersecurity analysts assess that the group has been active since at least August, and has most likely used a number of different Bitcoin wallets to receive ransoms.<\/p>\n
The intense scrutiny that followed the Colonial Pipeline attack has clearly unsettled ransomware groups. This week, the operators behind two major Russian-language ransomware platforms, REvil and Avaddon, announced strict new rules governing the use of their products, including bans on targeting government-affiliated entities, hospitals or educational institutions.<\/p>\n
The administrator of XSS, a popular Russian-language cybercrime forum, announced an immediate ban on all ransomware activity on the forum, citing, among other things, the bad press associated with the industry. In a statement posted in the forum, the administrator called the attention a \u201ccritical mass of harm, nonsense, hype and noise,\u201d saying even the spokesman for President Vladimir V. Putin of Russia had weighed in on the Colonial Pipe attack. (The spokesman, Dmitri S. Peskov, denied that the Kremlin had been involved in the attack on the pipeline.)<\/p>\n
\u201cThe word ransom has become associated with a whole series of unpleasant things \u2014 geopolitics, blackmail, government cyberattacks,\u201d the XSS administrator wrote. \u201cThis word has become dangerous and toxic.\u201d<\/p>\n
Even if DarkSide has shut down, the threat from ransomware has not passed. Cybercriminal networks often disband, regroup and rebrand themselves in an effort to throw off law enforcement, cybersecurity experts say.<\/p>\n
\u201cIt\u2019s likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways,\u201d said Mark Arena, Intel 471\u2019s chief executive. \u201cA number of the operators will most likely continue to operate in their own close-knit groups, resurfacing under different aliases and ransomware names.\u201d<\/p>\n
Indeed, DarkSide gave no indication that its members were getting out of the ransomware business or even letting victims currently infected with the group\u2019s malware off the hook. In its statement, DarkSide said it would hand over its decryption tools to affiliates, giving these intermediaries, who were responsible for infecting computer systems with the group\u2019s malicious software, the ability to negotiate ransoms with victims directly.<\/p>\n
\u201cYou will be given decryption tools for all the companies that haven\u2019t paid yet,\u201d the statement read. \u201cAfter that, you will be free to communicate with them wherever you want in any way you want.\u201d<\/p>\n
Julian Barnes contributed reporting.<\/p>\n