Darkside ransomware Archives – Gridinsoft Blog Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Wed, 12 Jan 2022 07:54:28 +0000 en-US hourly 1 https://wordpress.org/?v=67304 200474804 US authorities offer $10 million for information on DarkSide operators https://gridinsoft.com/blogs/us-authorities-offer-10-million-for-information-on-darkside-operators/ https://gridinsoft.com/blogs/us-authorities-offer-10-million-for-information-on-darkside-operators/#respond Mon, 08 Nov 2021 21:21:27 +0000 https://blog.gridinsoft.com/?p=6093 The US government has offered a $10,000,000 reward for any information that could lead to the identification or arrest of members and operators of the DarkSide hack group. It is emphasized that this reward can be obtained for any information about the heads of the Darkside, who occupy key positions in the faction. If the… Continue reading US authorities offer $10 million for information on DarkSide operators

The post US authorities offer $10 million for information on DarkSide operators appeared first on Gridinsoft Blog.

]]>
The US government has offered a $10,000,000 reward for any information that could lead to the identification or arrest of members and operators of the DarkSide hack group.

It is emphasized that this reward can be obtained for any information about the heads of the Darkside, who occupy key positions in the faction. If the informant provides information that will lead to the arrest of DarkSide partners (in any country) who help hackers to carry out attacks, this information can get up to $5,000,000.

information about DarkSide operators

The US authorities said they are offering such a large reward due to an attack on the largest pipeline operator in the United States, the fuel transportation company Colonial Pipeline. Let me remind you that we talked about this attack in detail, because it was this incident that forced the authorities to introduce an emergency regime in a number of states and became the very straw that could break the back of a camel: the attention of law enforcement agencies to ransomware increased, and on hacker forums they rushed to ban advertising of ransomware.

In offering this reward, the United States demonstrates its commitment to protecting ransomware victims around the world from exploitation by cyber criminals. The United States looks to nations who harbor ransomware criminals that are willing to bring justice for those victim businesses and organizations affected by ransomware.message from the government indicated.

After the attack on the Colonial Pipeline company, which drew too much attention from the authorities to the hackers, DarkSide ceased its activities, claiming that it had lost access to some of its accounts and servers. However, experts soon reported that the new BlackMatter ransomware could be considered the “successor” of the DarkSide malware, and the group clearly simply carried out a “rebranding”.

However, we also wrote that after REvil shut down, members of the hack group DarkSide hastily moved $7 million.

The aforementioned BlackMatter also stopped working last week, citing pressure from local authorities and some recent news. Representatives of the group did not explain exactly what news were discussed, but the statement came after a series of major arrests in recent weeks.

The post US authorities offer $10 million for information on DarkSide operators appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/us-authorities-offer-10-million-for-information-on-darkside-operators/feed/ 0 6093
After REvil shut down, members of the hack group DarkSide hastily moved $7 million https://gridinsoft.com/blogs/members-of-the-darkside-hastily-moved-7-million/ https://gridinsoft.com/blogs/members-of-the-darkside-hastily-moved-7-million/#respond Mon, 25 Oct 2021 16:55:10 +0000 https://blog.gridinsoft.com/?p=6057 Information security specialists noticed that at the end of last week, the funds of the DarkSide hack group began to move: the attackers hastily moved about $7 million to other wallets. Moreover, with each new transaction, a smaller amount is transferred, which makes it difficult to track money. CEO and co-founder of Profero first noticed… Continue reading After REvil shut down, members of the hack group DarkSide hastily moved $7 million

The post After REvil shut down, members of the hack group DarkSide hastily moved $7 million appeared first on Gridinsoft Blog.

]]>
Information security specialists noticed that at the end of last week, the funds of the DarkSide hack group began to move: the attackers hastily moved about $7 million to other wallets.

Moreover, with each new transaction, a smaller amount is transferred, which makes it difficult to track money.

CEO and co-founder of Profero first noticed the transfer process, and announced on Twitter that 107 bitcoins (about $7 million) from the group’s wallet had moved to another wallet. He emphasized that the money is clearly controlled by the hackers themselves, since the secret services usually simply move the seized assets to a new wallet under their control, and do not try to break the funds into smaller pieces.

DarkSide moved $7 million

As the blockchain analysis company Elliptic reported a little later, the DarkSide cryptocurrency passes through different wallets, and in the process the amount has already decreased from 107.8 BTC to 38.1 BTC. This is a typical money laundering scheme that makes it difficult to track funds and it helps criminals to convert cryptocurrency to fiat. According to Elliptic, this process is still ongoing, and small amounts have already been transferred to well-known exchanges.

DarkSide moved $7 million
Withdrawal scheme

Interestingly, DarkSide funds were set in motion shortly after the media reported that law enforcement was behind the cessation of another well-known hack group, REvil, by attacking the criminals’ infrastructure.

The fact is that DarkSide has also received a lot of attention, especially last summer when it hacked one of the largest pipeline operators in the United States, Colonial Pipeline. This incident forced the American authorities to introduce an emergency regime in a number of states and became the very straw that could break the back of a camel: the attention of law enforcement agencies to ransomware increased, and on hacker forums they rushed to ban advertising of ransomware altogether.

A week after the attack, and the government’s much unwelcome attention to hackers, DarkSide announced it would cease operations. Then the group claimed that it had lost control of some servers and cryptocurrency wallets (that is, its own money). However, in July, the hackers rebranded themselves by launching a new infrastructure and malware called BlackMatter.

It looks like now, after what happened to REvil, hackers want to make sure they don’t lose their funds a second time. Moreover, a few days earlier, the American authorities issued a warning about BlackMatter’s activities, stating that the ransomware had already attacked “several critical US infrastructures.”

The post After REvil shut down, members of the hack group DarkSide hastily moved $7 million appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/members-of-the-darkside-hastily-moved-7-million/feed/ 0 6057
The new BlackMatter ransomware was created by the authors of recently “closed” DarkSide https://gridinsoft.com/blogs/new-blackmatter-ransomware/ https://gridinsoft.com/blogs/new-blackmatter-ransomware/#respond Wed, 04 Aug 2021 16:50:47 +0000 https://blog.gridinsoft.com/?p=5779 Last week, experts noticed the emergence of a new ransomware BlackMatter, which combines the “best” features of the now defunct DarkSide and REvil. In particular, the analysts of Recorded Future wrote that the new group could be associated with DarkSide, which ceased operations in May of this year, after the scandalous attack on the Colonial… Continue reading The new BlackMatter ransomware was created by the authors of recently “closed” DarkSide

The post The new BlackMatter ransomware was created by the authors of recently “closed” DarkSide appeared first on Gridinsoft Blog.

]]>
Last week, experts noticed the emergence of a new ransomware BlackMatter, which combines the “best” features of the now defunct DarkSide and REvil.

In particular, the analysts of Recorded Future wrote that the new group could be associated with DarkSide, which ceased operations in May of this year, after the scandalous attack on the Colonial Pipeline company, which attracted too close attention of the authorities to hackers.

Several companies have already suffered from BlackMatter, and hackers demanded a ransom from them in the amount of $ 3 to 4 million, Bleeping Computer now reports. One victim has already paid the cybercriminals $ 4 million and received an ESXi decryptor for Windows and Linux from them.

New BlackMatter ransomware

The journalists showed this tool to the information security expert and the technical director of the Emisosft company Fabian Vosar. He confirmed that BlackMatter uses the same unique encryption methods that the DarkSide group used in their attacks (including the special Salsa20 matrix, unique to this group).

The publication also notes that if BlackMatter is just a “rebranding” of DarkSide, this explains some of the limitations listed on the hackers’ site. So, among other things, the group reports that it is not going to attack “the oil and gas industry (pipelines, oil refineries).” Let me remind you that it was the attack on the operator of the Colonial Pipeline that led to the “closure” of DarkSide.

Meanwhile, at the beginning of this week, an expert analyst of Recorded Future, interviewed a representative of the new extortionist group. BlackMatter denies being involved with DarkSide; instead, the hackers say they were only inspired by “the work of colleagues.”

Darkside is relatively new software with a good codebase (partly problematic, but the ideas themselves deserve attention) and an interesting web part when compared to other RaaS. [Our] executable file incorporates ideas from LockBit, REvil and partly DarkSide. The web part has incorporated the technical approach of DarkSide, as we consider it the most structurally correct (separate companies for each goal, and so on).the criminals say.

When Smilyanets directly asked if representatives of the group could confirm that their infrastructure is based on DarkSide, they replied:

We can say for sure that we are fans of the dark theme in design and have known the DarkSide team for collaboration in the past, but we are not them, although their ideas are close to us.

The post The new BlackMatter ransomware was created by the authors of recently “closed” DarkSide appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/new-blackmatter-ransomware/feed/ 0 5779
Colonial Pipeline CEO Confirms that Company Paid Criminals $4.4M https://gridinsoft.com/blogs/colonial-pipeline-paid-criminals/ https://gridinsoft.com/blogs/colonial-pipeline-paid-criminals/#respond Wed, 19 May 2021 21:42:55 +0000 https://blog.gridinsoft.com/?p=5487 The head of Colonial Pipeline confirmed that the company paid the criminals a ransom after the largest pipeline operator in the United States suffered from the DarkSide ransomware attack in mid-May 2021. The attack caused problems with the supply of gasoline, diesel fuel, aviation fuel, and other refined products, and an emergency regime was introduced… Continue reading Colonial Pipeline CEO Confirms that Company Paid Criminals $4.4M

The post Colonial Pipeline CEO Confirms that Company Paid Criminals $4.4M appeared first on Gridinsoft Blog.

]]>
The head of Colonial Pipeline confirmed that the company paid the criminals a ransom after the largest pipeline operator in the United States suffered from the DarkSide ransomware attack in mid-May 2021.

The attack caused problems with the supply of gasoline, diesel fuel, aviation fuel, and other refined products, and an emergency regime was introduced in a number of states.

The incident forced Colonial Pipeline to temporarily suspend operations, and the company is transporting petroleum products between refineries located on the Gulf Coast and markets in the south and east of the United States. The company’s 5,500-mile pipeline carries up to 2,500,000 barrels per day, roughly 45% of all fuel consumed on the US East Coast.

At the end of last week, Bloomberg, citing its own anonymous sources, reported that the company had paid a ransom of $5,000,000 to the ransomware operators. Although the Washington Post and Reuters previously wrote that the company did not intend to negotiate with the attackers, Bloomberg said that this information was not true.

Almost at the same time as this announcement, Colonial Pipeline was indeed able to restore its pipeline to normal operation, and supplies of petroleum products were resumed to normal volumes.the media noted.

Colonial Pipeline CEO Joseph Blount officially confirmed to Wall Street Journal reporters today that the company paid the cybercriminals a ransom of $4.4 million in bitcoins. According to him, it was necessary to recover as quickly as possible from the ransomware attack, which had an impact on critical energy infrastructure. Blount calls the ransom payment “the right thing to do” for the country.

I know this is a very controversial decision. It was not easy for me to do it. I confess it was uncomfortable to see how money goes to such people.said Blount, saying that the ransom was paid back on May 7.

In the end, the company did receive a tool for decrypting data, but, as previously reported, it worked so slowly that in the end, the company’s specialists were forced to continue the previously started recovery of systems from backups.

Let me remind you that After the sensational cyberattack on the American fuel giant Colonial Pipeline, experts proposed a kind of “vaccine” against Russian hackers.

The post Colonial Pipeline CEO Confirms that Company Paid Criminals $4.4M appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/colonial-pipeline-paid-criminals/feed/ 0 5487