Gang Behind the Us Pipeline Hack Closed the Shop, but the Threat Lives

Colonial Pipeline cyberattack Gang Behind the Us Pipeline Hack Closed the Shop, but the Threat Lives

The DarkSide cybercriminal group behind the recent ransomware cyberattack on Colonial Pipeline shut down its operation. In the name of honesty, an operator named Darksupp confirmed that a part of their public infrastructure had been seized. This includes operating and payment servers as well as the Onion data leak site.

Also, DarkSide’s cryptocurrency wallet was allegedly dried up of both internal and customer funds. However, there are speculations about a planned swindle. Blaming the law enforcement, the criminals would not have to share their still warm $9.4 million gains with affiliates. Other victims affected received the encryption keys, being forgiven of paying the ransom.

Cybercriminal Robin Hoods

So that the misfortune for DarkSide was not minor, the Russian-speaking hacker forum XSS announced the shutdown of ransomware discussions. Its admins worry that recent campaigns resulted in too much attention of police forces, as well as potential geopolitical tensions.


LIFARS Incident Response Team can mitigate the risks of ransomware and refine the security posture of your organization in a swift manner during the time of an incident. We will provide a fast and effective response that can help minimize the damage and cost associated with ransomware and cyber extortion attacks.


The East-European criminal gang has been actively offering sophisticated Ransomware-as-a-service since last summer. Its newly discovered clusters are tracked as UNC2628, UNC2659, UNC2465, and two more. Associates of DarkSide have the privilege of managing malware composition, pointing out their victims or even choosing the leaked data.

The hackers have been mainly interested in high-level corporations. They claim to avoid civil and health services and to dedicate pieces of received ransom to charity. This “big game” ideology is not unique among cybercriminals and should keep large-scale businesses on constant alert.

Interestingly, some analyses led to beliefs that some DarkSide’s core members participate in REvil ransomware campaigns. The notorious Russian cybercriminal group now announced it bans targeting the social and governmental sector – with reasons similar to XSS.

Critical for a Reason

The recent sweeping ransomware offensives highlighted the grim reality of cyberattack trends. First, these encrypting and payment-demanding threats are somehow becoming an inveterate norm. Second, cybercriminals increasingly stick around critical infrastructure targets. And finally, companies under the fear of losing their businesses do pay the ransom.

The outage of the US east coast’s crucial petroleum supply resulted in the regional emergency declaration to keep fuel flowing. Some states’ governments issued executive orders to calibrate the fuel prices, as public concerns triggered potential supply shortages.

Following the Microsoft Exchange campaign, whoever would say nothing worse can happen this year was terribly wrong. While daily attacks on enterprises hardly hit newspaper headlines, aggression towards core national functions may result in a weighty response. The involvement of the highest US administration in the attack mitigation is a shred of tangible evidence.

To Pay or Not to Pay

After the restoration of Colonial Pipeline’s services, reports about the big decision over the payment emerged. The company allegedly shelled out 75 bitcoins, worth around $5 million. Despite experts and government officials calling to resistance in this matter, most victims actually choose to surrender.

The reason is either sense of helplessness, non-existence or outdatedness of backups, or possibly fear of losing reputation. Some businesses just do not have the manoeuvring space and must restore functioning as soon and as smoothly as possible. However, there is a red warning from practice – even negotiations or payment do not guarantee decryption of infected systems.

More companies paying ransom to criminals is nevertheless ominous development, not mentioning them being critical infrastructure. The argument is pure logic behind cybercrime – while cyber gangs like DarkSide profit from their illicit activities, ransomware lives.

In case of being affected by ransomware, turn to professional services instead of taking hasty steps. LIFARS provides complimentary consulting on Ransomware attacks to determine if a move forward decision is desired, with factors determining whether data exfiltration occurred, determining if additional systems have been compromised, and requests to attempt data recovery.



FBI Statement on Network Disruption at Colonial Pipeline

The New York Times: Cyberattack Forces a Shutdown of a Top U.S. Pipeline

Enterpreneur: Three More States Declare a State of Emergency as Effects of Pipeline Attack Worsen

Bloomberg: Colonial Pipeline Paid Hackers Nearly $5 Million in Ransom

Cybereason: Cybereason vs. DarkSide Ransomware

FireEye: Shining a Light on DARKSIDE Ransomware Operations

Krebs on Security: DarkSide Ransomware Gang Quits After Servers, Bitcoin Stash Seized