For a ransomware gang whose servers were purportedly commandeered last week, DarkSide has had a server-fueled weekend, with a reported hit on Toshiba Business.
Late on Thursday night came a post to the “Exploit” underground forum that looked, at least, to be from DarkSide. It described how the gang’s blog, payment processing and denial-of-service (DoS) servers had been seized.
Fast-forward three days, and it sure doesn’t look like DarkSide is dead in the water. Friday’s statement has reportedly been deleted. According to the security intelligence firm Flashpoint, some members of the underground forum questioned whether the post might have been a fake.
DarkSide has been in the headlines non-stop since it crippled operations at Colonial Pipeline Co. 10 days ago, spiking gas prices and sparking a rush to stockpile.
The group extorted around $5 million in that incident, in return for which it sent the major fuel-supplying company a decryption tool that reportedly could barely limp through the process of unlocking files. A day before “DarkSide” – or whoever it was – put up the “lost-our-servers” post, President Joe Biden said in an executive order that the U.S. plans to disrupt the ransomware network.
Did DarkSide’s Servers Spark Back to Life and Grab Toshiba?
There’s always the possibility that the lost-servers post was an exit scam or, at least, bogus in some way – a possibility backed up by recent activity. On Friday, Toshiba Tec Group – the arm of Toshiba that makes scanners, printers and other business equipment – confirmed that its European subsidiaries had been seized.
Toshiba’s investigation has shown that the attack has been limited to some regions in Europe but that it hasn’t confirmed whether or not customer information was leaked.
It looks to be another DarkSide job. According to screenshots of the extortion message provided to Reuters by Mitsui Bussan Secure Directions – a representative from Toshiba’s French subsidiary – more than 740 gigabytes of information were compromised and included passports and other personal information.
As far as DarkSide’s payment-processing server goes, it was up and running as of last week: The group pulled in a $4.4 million extortion payment from a chemical distributor. As Bleeping Computer reported, Brenntag – a huge chemical distribution company headquartered in Germany but with over 17,000 employees worldwide at over 670 sites – suffered a ransomware attack that targeted its North America division. The threat actors reportedly claimed to have stolen 150GB of data.
DarkSide initially demanded a 133.65 Bitcoin ransom – about $7.5 million – when it attacked the company earlier in May. BleepingComputer’s sources told the outlet that Brenntag negotiated the extortion fee down to $4.4 million, which was paid on Tuesday, May 11. The outlet confirmed that the money went into a Bitcoin address its sources shared with it.
“Brenntag North America is currently working to resolve a limited information security incident,” Brenntag told BleepingComputer on Thursday. “As soon as we learned of this incident, we disconnected affected systems from the network to contain the threat.
“In addition, third-party cybersecurity and forensic experts were immediately engaged to help investigate. We also informed law enforcement of this incident.”
The DarkSide Statement That’s Since Gone *Poof*
According to Flashpoint, on Thursday night, UNKN – the spokesperson for DarkSide’s fellow RaaS, REvil – made a post on the top-tier Russian-language forum Exploit, quoting DarkSide’s previous, now-deleted post. Translated from Russian into English, the statement read:
Ever since the first version, we promised to speak honestly and openly about problems. A few hours ago, we lost access to the public part of our infrastructure, namely:
Blog.
Payment server.
DOS servers.
Now these servers are unavailable via SSH, the hosting panels are blocked. Hosting support, apart from information ‘at the request of law enforcement agencies,’ does not provide any other information.
Also, a few hours after the withdrawal, funds from the payment server (ours and clients’) were withdrawn to an unknown address.
DarkSide, Other Gangs Banned from XSS Forum
The heat generated by the pipeline attack – an attack against critical U.S. infrastructure – has attracted all the wrong kind of attention to ransomware collectives. As a result, DarkSide’s fellow RaaS player, REvil, found itself forced to introduce new restrictions on how it operates.
The REvil gang on Friday announced that it’s instituting pre-moderation for its partner network, and said it would ban any attempt to attack any government, public, educational or healthcare organizations. Referring to DarkSide’s experience, REvil’s backers said that the group was “forced to introduce” these “significant new restrictions,” promising that affiliates that violated the new rules would be kicked out and that it would give out decryption tools for free.
XSS Says No More Ransomware
It’s not the only one coming up with new rules: according to Flashpoint researchers, the Russian-language cybercriminal forum XSS has also announced that it was outlawing all ransomware activities, including ransomware affiliate programs, ransomware for rent, and sale of ransomware software.
That could be a big hit to the ransomware economy, given that XSS has been an important forum for advertising for affiliates. Some of the biggest ransomware players maintain an active presence on the forum, researchers noted, including Babuk, DarkSide, LockBit, Nefilim, Netwalker and REvil.
A ‘Critical Mass of Nonsense, Hype and Noise’
The XSS admin reportedly said that the ransomware expulsion is partially based on ideological differences between the forum and ransomware operators. The attention from high-profile incidents such as the pipeline attack is also quite unwelcome, the admin said, having resulted in a “critical mass of nonsense, hype and noise.” Ransomware collectives and their accompanying attacks are generating “too much PR,” the XSS admin said, and are heightening the geopolitical and law-enforcement risks to a “hazard[ous] level.”
Hazardous, as in, perhaps putting Russian President Vladimir Putin in an awkward position: The admin of XSS also claimed that when “Peskov [the Press Secretary for the President of Russia, Vladimir Putin] is forced to make excuses in front of our overseas ‘friends’ – this is a bit too much,” the XSS admin reportedly posted. The admin included a link to an article on the Russian news website Kommersant, entitled “Russia has nothing to do with hacking attacks on a pipeline in the United States.”
What’s Next for DarkSide?
Stefano De Blasi, a threat researcher for Digital Shadows, said that it’s not surprising to see news about DarkSide operations in spite of the criminal group’s infrastructure having allegedly been taken down.
“A plausible explanation for this phenomenon is that DarkSide affiliates were likely encrypting several targets at the same time, and that some of those victims are only coming out in public about their attack a few days later,” he commented to Threatpost on Monday. “For example, a Toshiba spokesperson has indicated that the company suffered that ransomware attack on May 4, just three days before the Colonial Pipeline one.”
De Blasi said via email that it’s “realistically possible” that while DarkSide’s shutdown is part of a strategy to avoid further pressure from law-enforcement agencies, it’s “unlikely that DarkSide would immediately continue their operations without leaving some time to calm things down.”
Thus, while we might well hear about more DarkSide encrypting sprees in the future, it’s likely that they’ll avoid attacking more companies in the immediate aftermath of the Colonial Pipeline attack, he said.
Download our exclusive FREE Threatpost Insider eBook, “2021: The Evolution of Ransomware,” to help hone your cyber-defense strategies against this growing scourge. We go beyond the status quo to uncover what’s next for ransomware and the related emerging risks. Get the whole story and DOWNLOAD the eBook now – on us!