Best of 2021 – DarkSide Ransomware Gang Struck Down — but by Whom?

As we close out 2021, we at Security Boulevard wanted to highlight the most popular articles of the year. Following is the next in our series of the Best of 2021.

The DarkSide group, hacker of the Colonial Pipeline, has hurriedly shut up shop. The shadowy group claims its servers and cryptocurrency balances have disappeared.

People say it was the U.S. government that killed it. Which makes sense in the context of the White House’s recent pronouncements.

But not so fast—there are two other competing theories. One is it’s all a ruse so DarkSide can make off with the money it owes other crims. Another is it’s actually the Russian government pulling the plug because the group got too big for its boots.

This sounds like a job for friar William of Ockham and his famous razor. In today’s SB Blogwatch, we look east.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Microwaving hamsters (humanely).

Seduced by the DarkSide

What’s the craic? Christopher Bing and Nandita Bose report the first shoe—“Biden cybersecurity order mandates new rules”:

New security standards”
President Joe Biden on Wednesday ordered the creation of an air accident-style cyber review board and the imposition of new software standards for government agencies following a spate of digital intrusions that have rattled the United States. … The order follows a digital extortion attempt against major fuel transport company Colonial Pipeline that triggering panic buying and fuel shortages in the southeast [and] the hack of … SolarWinds, whose software was hijacked to break into government agencies and steal thousands of officials’ emails.

The executive order’s initiatives include the creation of a organization that would investigate major hacks along the lines of National Transportation Safety Board inquiries that are launched after plane crashes. They also include the imposition of new security standards for software bought by government agencies [such as] the use of multi-factor authentication … and the use of encryption both for stored data and communications.

And shoe #2? Here’s Catalin Cimpanu’s new boogaloo—“Darkside ransomware gang says it lost control of its servers & money a day after Biden threat”:

Exit scam”
A day after US President Joe Biden said the US plans to disrupt the hackers behind the Colonial Pipeline cyberattack, the operator of the Darkside ransomware said the group lost control of its web servers and some of the funds it made from ransom payments. “A few hours ago, we lost access to the public part of our infrastructure, namely: Blog. Payment server. CDN servers,” said Darksupp, the operator of the Darkside ransomware, in a post spotted by … intelligence analyst Dmitry Smilyanets.

[It] comes after US authorities announced their intention to go after the gang. … “We have been in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks,” President Biden said in a press conference on Thursday. “We are also going to pursue a measure to disrupt their ability to operate.”

The Darkside operator also reported that cryptocurrency funds were also withdrawn from the gang’s payment server [and] transferred to an unknown wallet. … But Smilyanets warns that the group’s announcement could also be a ruse, as no announcement has yet been made by US officials. The group could be taking advantage of President Biden’s statements as cover to … run away with its affiliate’s money without paying their cuts—a tactic known as an “exit scam.”

Joseph Robinette Biden Jr.—aka POTUS#46—orders thuswise: Improving the Nation’s Cybersecurity:

Government must lead by example”
The Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to these actions and actors. The Federal Government must also carefully examine what occurred during any major cyber incident and apply lessons learned.

The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace. [But] the Federal Government must lead by example. All Federal Information Systems should meet or exceed the standards and requirements for cybersecurity set forth in and issued pursuant to this order.

tl;dr. Proudrooster looks forward to real change:

Requires hiring competent people”
Security is an illusion, mostly propped up by vendors selling security products. You don’t buy security, you earn it—by making it a priority.

We could start by unplugging China and Russia from the Internet to give us some time. Insurance companies are sick of paying out [so] insurance companies are the only thing I can see driving real change since real change requires hiring competent people to be on guard.

But somebody seems to be competent. Don’t play stupid games with the U.S., says Play stupid games:

Liberty”
Sounds like DarkSide learned what dictators and cybercriminals alike have known for decades: Want to shut down international logistics and shipping? OK. Kill people by shutting down hospitals? The FBI will get around to investigating it. Commit some war crimes here and there? Maybe a condemnation and some sanctions.

**** with America’s oil? Get ready to learn about American liberty. And by liberty, I mean you’re going to liberated from everything you hold dear.

Can’t the perps just pop up again? This isn’t just about DarkSide, thinks specialp:

Act of war”
They know that they can and will be found, and are running scared. In general ransomware works because it takes a lot of resources to find the criminals behind it. And generally there’s not enough resources to do this.

But once it hits a level where it creates a widespread national problem, it becomes more of an act of war. Then you get people involved that aren’t just law enforcement and have tools that aren’t available to law enforcement with large budgets.

A national problem? But which nation? MrWalrus suggests this scenario:

Shut down”
The pipeline attack was a big enough deal that Russia is no longer excited to be semi-openly harboring them. [If] Darkside has connections to the Russian government, I think those connections are telling them “You drew too much heat. You know that we know who you are and where you live, shut down or we shut you down.”

What if ransomware scrotes couldn’t hack us in the first place? john.r.strohm spots the oint in the flyment:

Get what we deserve”
As long as it is fashionable to let programmers do anything they want, and rely on them not to make a mess of it (as the late Edsger W. Dijkstra was fond of saying), we are going to have problems. As long as we pretend that C and C++ are good languages, and Windows is a good operating system, we will continue to get what we deserve, and we will generally, as Jerry Pournelle used to say, get it good and hard.

Meanwhile, Deputy Cartman cuts to the chase:

Feed the family”
Few things are more terrifying than millions of Americans suddenly deprived of their God-given right to drive 30 miles each way to Costco to fill their SUV with 32 packs of beer and enough $2.99/lb. ground chuck to feed the family for a month.

And Finally:

Sometimes, “obvious” urban myths … aren’t

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Image sauce: Oliver Ayala (cc:by-sa)

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 596 posts and counting.See all posts by richi