The operators behind the ransomware attack that took down the Colonial Pipeline last week claim their infrastructure has been taken offline, and that they will cease their ransomware as a service (RaaS) programme.
Last week, DarkSide hackers attacked Colonial Pipeline, forcing the operator to suspend 5,500 miles of pipeline between Texas and New York and disrupting the fuel supply to large swathes of the US east coast. They also took 100GB of data from the network before locking computers and demanding payment in a double extortion attempt.
Amid reports that Colonial Pipeline paid the hackers $5 million (roughly £3.5 million) to restore data and services, DarkSide released a statement rowing back on the attack, expressing regret, and insisting the only motive was financial, not geopolitical.
The operators have now claimed they would immediately cease operations of their RaaS scheme, issuing decryptors to all targets they attacked, alongside the promise of compensation, according to Intel 471.
The group also shared a message with their affiliates claiming that a public portion of their infrastructure had been disrupted by an unnamed law enforcement agency. DarkSide’s name-and-shame blog, ransom collection site and breach data delivery network were all seized, while funds from their cryptocurrency wallet were siphoned away.
The backlash against the Colonial Pipeline attack has spread, with another prominent group, Babuk, also stepping down from ransomware. The group handed its ransomware source code to “another team” with the aim of continuing this work under a new brand, while Babuk would continue to run a name-and-shame blog.
Meanwhile, the administrators for XSS, a widely-used Russian cyber crime forum, have announced an immediate ban of all ransomware advertising and activity, with the promotion of services or related discussions also prohibited.
An admin explained the decision by claiming there’s “too much PR”, and that the forum had “accumulated a critical mass of nonsense”, according to DataBreaches.net.
RELATED RESOURCE
2021 state of email security report: Ransomware on the rise
Securing the enterprise in the COVID world
Almost immediately after, another popular cyber crime site, Exploit.in, followed suit and announced that ransomware-related chatter and activity would be banned.
Several other highly prominent groups have reacted to the fallout by announcing rule changes to their organisation, effectively clamping down on the free reign that affiliates have had in the organisation they target.
REvil, for example, has banned affiliates from targeting government, healthcare, educational and charitable organisations. All targets must also be pre-approved by the ransomware operators prior to deployment.
“Intel 471 believes that all of these actions can be tied directly to the reaction related to the high-profile ransomware attacks covered by the media this week,” the firm said in a blog post. “However, a strong caveat should be applied to these developments: it’s likely that these ransomware operators are trying to retreat from the spotlight more than suddenly discovering the error of their ways.
“A number of the operators will most likely operate in their own close-knit groups, resurfacing under new names and updated ransomware variants. Additionally, the operators will have to find a new way to “wash” the cryptocurrency they earn from ransoms.”
-
Women show more team spirit when it comes to cybersecurity, yet they're still missing out on opportunitiesNews While they're more likely to believe that responsibility should be shared, women are less likely to get the necessary training
-
OpenAI's new GPT-4.1 models miss the mark on coding tasksNews OpenAI says its GPT-4.1 model family offers sizable improvements for coding, but tests show competitors still outperform it in key areas.
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Alleged LockBit developer extradited to the USNews A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
-
February was the worst month on record for ransomware attacks – and one threat group had a field dayNews February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impactedNews The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
-
Warning issued over prolific 'Ghost' ransomware groupNews The Ghost ransomware group is known to act fast and exploit vulnerabilities in public-facing appliances
-
The Zservers takedown is another big win for law enforcementNews LockBit has been dealt another blow by law enforcement after Dutch police took 127 of its servers offline
-
There’s a new ransomware player on the scene: the ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry – and researchers warn it’s only going to get worse for potential victimsNews Security experts have warned the BlackLock group could become the most active ransomware operator in 2025
