The operator of the ransomware group Darkside, believed to originate in Eastern Europe or Russia, has been unable to access its computer systems to conduct cyber attacks. Associates close to the hacking group said it would disband, citing international pressure from the US, said security research firm FireEye.
The DARKSIDE announcement stated that they lost access to their infrastructure, including their blog, payment, and CDN servers and would be closing their service. Decrypters would also be provided for companies who have not paid, possibly to their affiliates to distribute. (2/3)— FireEye (@FireEye) May 14, 2021
The post cited law enforcement pressure and pressure from the United States for this decision. @Mandiant has not independently validated these claims and there is some speculation by other actors that this could be an exit scam. (3/3)— FireEye (@FireEye) May 14, 2021
"A few hours ago, we lost access to the public part of our infrastructure, namely: Blog. Payment server. DOS servers," Darksupp, the operator of the Darkside ransomware, said.
Now, these servers are unavailable via SSH, and the hosting panels are blocked."
Darksupp also reported cryptocurrency funds were withdrawn from the payment server and would be split between itself and its associates.
This sudden dispersion of the hacking group is suspicious. Who would disband a hack operation for a measly $5 million - that will barely buy a mansion in the Bay Area.
On Thursday, President Joe Biden announced his administration had been "in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks" and would "pursue a measure to disrupt their ability to operate."
Biden said, "We do not believe the Russian government was involved in this attack, but we do have strong reason to believe that the criminals who did the attack are living in Russia, that's where it came from."
But not everyone is convinced DarkSide is a legitimate hacking group but rather a cover for a rogue group of CIA hackers.
Natalya Kaspersky, the founder and former CEO of security software firm Kaspersky Lab, made an explosive suggestion in an interview with Russian state-owned domestic news agency RIA Novosti that CIA hackers were actually behind the Colonial Pipeline attack, reported RT News.
Kaspersky said the Umbrage team, which is part of the Remote Development Branch under the CIA's Center for Cyber Intelligence, can mask its hackers as outside ones and leave behind the "fingerprints" of the external hackers when it breaks into electronic devices.
WikiLeaks in 2017 shed light on the Umbrage team. At the time, USA Today said CIA operatives "may have been cataloging hacking methods from outside hackers, including in Russia, that would have allowed the agency to mask their identity by employing the method during espionage."
Kaspersky pointed out a list "of the countries under whose hacker groups this UMBRAGE is disguised – Russia, North Korea, China, Iran." She claimed that "therefore, it cannot be said with certainty that a hacker group carried out the attack from Russia and that it was not a provocation made themselves from there, or from some other country."
... more things that make you go hmm.
They WEREN'T REAL. I talked with hackers on every hacking tor forum I could find and they all said the same thing GOVERNMENT ENTITY. REvil, doppelpaymer those are REAL HACKING GROUPS. darkside? Never even existed on TOR. pic.twitter.com/ZtmztfPXwj— emily (@oracleofomega) May 14, 2021