DarkSide Ransomware Group Faces XSS Ban, Servers Seized

DarkSide Faces Operational and Reputational Setbacks of Its Own

In the 36 hours following Colonial Pipeline’s resumption of operations, DarkSide—the ransomware group responsible for the attack that took Colonial’s pipeline systems offline for close to a week—is facing a number of operational and reputational setbacks of its own. 

XSS Forum Bans DarkSide and Other Ransomware Collectives

First, in the evening of Thursday, May 13, 2021, the illicit Russian-language cybercriminal forum “XSS” made an announcement that all ransomware activities would be outlawed on the forum going forward, including ransomware affiliate programs, ransomware for rent, and sale of ransomware software. Historically, the XSS forum has been a valuable tool for ransomware groups to recruit affiliates, with many collectives maintaining an active presence on the forum, including REvil, Babuk, Darkside, LockBit, Nefilim, and Netwalker to recruit affiliates. 

According to the administrator of XSS, the decision is partially based on ideological differences between the forum and ransomware operators. Furthermore, the media attention from high-profile incidents has resulted in a “critical mass of nonsense, hype, and noise.” The XSS statement offers some reasons for its decision, particularly that ransomware collectives and their accompanying attacks are generating “too much PR” and heightening the geopolitical and law enforcement risks to a “hazard[ous] level.” 

The admin of XSS also claimed that when “Peskov [the Press Secretary for the President of Russia, Vladimir Putin] is forced to make excuses in front of our overseas ‘friends’ – this is a bit too much.” They hyperlinked an article on the Russian News website Kommersant entitled “Russia has nothing to do with hacking attacks on a pipeline in the United States” as the basis for these claims. 

As of 7:00 AM EDT, May 14, 2021, all of DarkSide’s posts had been removed from XSS forums.

DarkSide’s Onionsite Closed and Its Servers Seized

Second, also in the evening of Thursday, May 13th, the spokesperson for the REvil ransomware group, UNKN, made a post on the top-tier Russian-language forum Exploit, quoting DarkSide’s previous post that has since been removed from the site. Translated into English, this Russian statement from DarkSide reads:

“Ever since the first version, we promised to speak honestly and openly about problems. A few hours ago, we lost access to the public part of our infrastructure, namely:

Blog.

Payment server.

DOS servers.

Now these servers are unavailable via SSH, the hosting panels are blocked. Hosting support, apart from information ‘at the request of law enforcement agencies,’ does not provide any other information.

Also, a few hours after the withdrawal, funds from the payment server (ours and clients’) were withdrawn to an unknown address.”

In the wake of DarkSide’s closure, REvil emphasized and introduced new rules of operation for its members. The English translation of these new rules reads:

“1. It is prohibited to work in the social sector (health care, educational institutions);

2. It is forbidden to work on the govt-sector (state) of any country;

3. The target has to be agreed with the administration of REvil: write a description of the goal, its website, zoom info, etc.”

Ransomware Attacks Far From Over

XSS’s decision to ban ransomware collectives will result in temporary setbacks for these groups, forcing them to adjust and relocate their recruitment efforts to maintain their efficient and profitable Ransomware-as-a-Service (RaaS) business models. 

Needless to say, however, it’s all but certain that ransomware will remain a persistent threat for the foreseeable future given their popularity and popularity among cybercriminal communities. If anything, ransomware attacks will likely continue to grow in both scale and frequency. After the closure of DarkSide, the ransomware landscape is dominated by four major collectives: REvil, LockBit, Avaddon, and Conti.

Flashpoint assesses with moderate confidence that well-established ransomware collectives—including REvil, LockBit, Avaddon, and Conti—will continue to operate in private mode. Additionally, ransomware collectives will likely begin to advertise recruitment for new affiliates via their own leak sites since many cybercriminal forums, like XSS, and other similar platforms used for ransomware advertisements will now likely refuse to host their activities.

Prepare for Ransomware with Flashpoint

Request a demo today and see firsthand how Flashpoint’s Threat Response and Readiness offerings ensure your entire team is prepped and able to respond to any ransomware attack. And when equipped with Flashpoint Intelligence Platform and our dedicated, prebuilt ransomware dashboards, you move a step ahead of ransomware attacks and the cybercriminal groups who use them.