Colonial Pipeline hacker group's dark web site no longer accessible

In a message posted after the Colonial attack, the group hinted at contrition and that a "partner" might be to blame.
In a message posted after the Colonial attack, the group hinted at contrition and that a "partner" might be to blame.PHOTO: EPA-EFE

WASHINGTON (BLOOMBERG) - The dark web page belonging to the ransomware group accused of attacking Colonial Pipeline in the US has gone down.

The FBI and cybersecurity experts identified DarkSide as the group behind the Colonial attack that forced the company to shut down operations, triggering fuel shortages in parts of the US. Some evidence has linked DarkSide's operations to Russia and other Eastern European countries.

It's not clear if the site is down because of a technical snafu, which aren't uncommon on the dark web, or some action by law enforcement or the group itself, which is facing the wrath of the US government. Ransomware is a type of malware that encrypts a victim's data; the groups sometime steal data too. The hackers then ask for a payment to unlock the files or return the stolen data.

DarkSide maintains at least eight domains or websites on the dark web. One is a public-facing website used by DarkSide and its hackers-for-hire to name and shame victims who've ignored or refused the group's ransom demands. The other seven sites are used by the group to host the data they've stolen.

Four of those seven domains are also down. Three are loading blank, white pages. One simply reads, "Darkside CDN." CDN stands for content delivery network. A separate site used as a payment gateway is still operational.

Dark web researchers speculated that the outage could be DarkSide's effort to duck law enforcement given the turmoil caused by the attack. "DarkSide is likely going to go quiet and rebrand itself, as we've observed with other dark net ransomware operators in the past when they became targets of law enforcement," said Mark Turnage, co-founder of DarkOwl, a dark web and cyber research firm.

Some ransomware groups maintain pages on the dark web where they post stolen documents to pressure victims into paying or list the names of companies that have refused their demands.

DarkSide's site posted what appeared to be three new victims on its site as recently as May 12, as they continued to leak new data on the site for existing digital hostages.

In a message posted after the Colonial attack, the group hinted at contrition and that a "partner" might be to blame. Like some other ransomware groups, DarkSide offers to sell its malware to others in what is known as "ransomware-as-a-service."

"We are apolitical. We do not participate in geopolitics," the message said. "Our goal is to make money and not creating problems for society. From today, we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future."