This is quite amusing and interesting.
Their bitcoin stash was seized and emptied. Their DDoS operation was seized: they used this to throw denial of service attacks at people whom they'd already hit with ransomware attacks who weren't paying up. Basically their infrastructure was taken from them and destroyed. No information who did this.
They closed up shop, and if I'm reading this article correctly, they released the decrpyt keys to everyone they'd encrypted but who hadn't paid yet.
Very strange things afoot.
One thing the article mentions is the "REvil Ransomware-as-a-service Platform." That's right, if you have the connections and the money, you can become a ransomware entrepreneur and go around perpetuating this shit and become rich and infamous. It is possible that the REvil people said 'No, you do not screw with major infrastructure, bad boys!' and had the means to tear them apart, or dropped a dime to law enforcement and turned them in. REvil is a pretty big org, and they certainly have the means to tear apart one of their franchise operators.
https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/Colonial paid a $5,000,000 ransom shortly after the incident happened to try and restore service as soon as they could. And they received a working de-crypt key promptly. The problem is, with the high levels of encryption that these ransomware packages apply, decryption of vast levels of data take a long time, so Colonial also started doing restores from backup while also decrypting, attacking the problem from two points at the same time.
There are multiple problems with ransomware, paying it or not. If you don't pay it, you have to rebuild your infrastructure from scratch and hope your backups are good. Smart people in IT have a saying that we're fond of that that if you don't test your backups by doing a restore, then you don't have a backup. And a lot of companies that get hit by ransomware all of a sudden find out that they don't have backups. I worked with one such company that got hit by ransomware: turns out they'd been having backup problems and just couldn't be bothered trying to resolve them, too busy.
Plus, the criminals have developed another layer to their model. They have to infiltrate your network to place the encryption software and launch it. So while they're there, they hit your email server and documents directories and exfiltrate that information, they also look for corporate secret stuff like blueprints and things. Lots of companies have secrets that they would rather were not exposed to the light of day, like that $1,000 gadget that everyone is buying that only costs $75 to make, or the CEO's perversity for 14 year olds? Things like that. So if the company doesn't pay the ransom and starts rebuilding, they then come back and double the ransom demand and threaten to dump this dirty laundry in the open press.
And then there's the problem with those that pay and become the victim of poor-quality criminals. They don't hear from the criminals and don't receive a decrypt key or program, or the key will not work, or they demand another ransom and it turns into escalating extortion.
The REvil people try to keep the criminals using their service operating professionally so that if you're hit by a REvil ransomware infection, you know that if you pay the ransom, you'll get your data back. I think it's a good chance that REvil took down DarkSide or dropped a dime and provided critical information for DarkSide's downfall.
We might know some day.
I'm not writing a lot about cybercrime because it's just too damn common. I could spend all my waking hours writing about it, just like I could spend all my time writing about politics. It's just not worth it. I quit working in IT, and I'm staying quit, though I'm still keeping abreast of some of the better blogs and web sites.
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
