The malicious hacker group DarkSide, which hijacked a major pipeline in the United States with a ransomware attack, reportedly moved its funds before the alleged seizure of its wallets and servers.
According to several reports, DarkSide would have lost access to the servers of its affiliate program and with this, its cryptocurrencies. From this affiliate service, DarkSide rewarded other users to use its ransomware against other victims around the world.
But the signature Elliptic ensures that DarkSide would have moved a large part of the payments it received from the Colonial Pipeline Co company before the alleged confiscation.
The pipeline operator would have paid close to $ 5 million in BTC hackers to rid themselves of ransomware, The Wall Street Journal reported Wednesday.
DarkSide would have announced on the Internet that it had lost access to part of its servers and the cryptocurrencies that were hosted on it.
However, there is no confirmation of this order of events from official sources, so it could be a fake news spread by hackers to cover up or to scam potential debtors among your collaborators ..
Hackers would have lost access to their servers and the cryptocurrencies they have fraudulently obtained with their ransomware attacks. Composition by CriptoNoticias Sources: geralt-9301 / pixabay.com; pngegg.com.
According to the security expert Dmitry SmilyanetsAccording to The Record site, DarkSide acknowledged in forums and other Internet publications that it had lost access to part of its server infrastructure.
The media also refers to another message published on the Telegram channel Russian OSINT, where the attackers also acknowledge that the cryptocurrencies hosted on these servers were confiscated.
The country of location of these servers was not disclosed, but DarkSide claims that the supplier or host company, would have yielded to the authorities and security forces that are following the case internationally. “After a few hours, the funds from the payment server were withdrawn to an unknown address,” they claim.
According to US media reports, President Joe Biden this week urged President Vladimir Putin to find a way to disrupt the operations of hackers in the countries where they operate and bordering Russia.
On the trail of Colonial Pipeline’s BTCs
Blockchain analytics firm Elliptic identified the portfolio address where the DarkSide group received payment from Colonial Pipeline. In total there were 75 BTC that DarkSide received from the Colonial Pipeline company, on May 8, 2021, they say in a publication.
In addition to the Colonial payment, the portfolio would have received 57 payments from 21 different portfolios, some of which coincide with ransomware cases where victims are known to have paid. One of these payments, for 78.29 BTC (USD 3,871,000), was sent by a chemical distribution company, Brentagg, on May 11.
Hacker groups direct ransomware attacks on individuals, companies and entities around the world, generating losses and serious incidents. Source: pixibay.com.
Both payments, the Colonial Pipeline and the Brentagg company, were sent to the same Bitcoin address, Elliptic claims. This would be indicative that the author of these ransomware attacks is the same actor.
Additionally, Elliptic states that all Colonial Pipeline’s BTC could not have been seized by the authorities, as these were moved to another direction under the control of hackers, according to their analysis. Elliptic has not disclosed the Bitcoin addresses in question.
Change of attitude: from bad actors to “ethical” criminals
The seizure of DarkSide funds and some government pressure would have led to a change in the policies and ethics of malicious activity carried out by certain hackers.
Allegedly, DarkSide is publishing tools to decrypt data from companies and entities affected by your ransomware, perhaps to publicly redeem themselves.
Another group known as REvil, an organization that provides a homonymous ransomware, said that its affiliate service would also have new restrictions, according to The Record.
For example, REvil now prohibits its affiliates from attacking “social sector” entities, such as hospitals and educational institutions, as well as government entities in any country. Before carrying out the attack, the affiliates should have approval.
The REvil hacker group was one of those who announced that they had changed their policies to carry out attacks. Fountain: .
Intel 471 firm, which investigates this new position taken by several hacker organizations, thinks that the seriousness of the attack against the US pipeline, which has already been unlocked, and the media coverage of the case, could be too much pressure even for anonymous hackers.
As we reported in CryptoNews, the attack severely affected fuel distribution on the east coast of the United States and the attackers asked for an undisclosed amount in monero (XMR) or bitcoin (BTC). Colonial Pipeline Company is responsible for transporting and distributing 45% of all fuel production in the country, through its network of oil and gas pipelines.
However, based on previous cases, Intel 471 believes that hackers could run these ads to calm the waters. After the storm could resume attacks with other techniques, or forming new malicious organizations with different names to disguise themselves.
Notably, Intel 471 claims that a cryptocurrency mixing service called BitMix, popular with hacker groups Avaddon, DarkSide and REvil, would have stopped working. Therefore, they say “Operators will have to find new ways to ‘launder’ the cryptocurrencies they get from their extortions (ransoms)«.
As we report in CriptoNoticias, ransomware attacks have already made more money from their victims than in all of 2020. Financial losses amount to nearly $ 2 million, but only 8% of companies that pay hackers get all their data back, according to Sophos.