After making a grand impact on the US oil industry, the operators of DarkSide ransomware have decided to shut down operations after facing pressure from the US. In a note to its affiliates, DarkSide ransomware said that their data leak blog, CDN servers, and payment server have been inaccessible. While they’re allegedly pulled down by law enforcement, DarkSide decided to clear the dues and shut down for good.

A Goodbye Note to DarkSide Affiliates

DarkSide RansomwareJust in a span of few months, the DarkSide group has grown to be one of the key players in the ransomware industry. The perpetrators have earlier attacked CompuCom, Canadian Discount Car and Truck Rentals, and the US Colonial Pipeline.

While ransomware groups attack vulnerable entities, they often target wealthy corporates. But hitting sensitive entities like healthcare, educational institutions, or government agencies will draw unwanted attention. And this happened in the case of the DarkSide group, which took over Colonial Pipeline and forced it to pay a $4.4 million ransom.

This shook the US government as the President himself warned companies to remain vigilant and spotted that the perpetrators are from Russia! May they have planned a secret operation behind the warnings, as unknown law enforcement is somehow the reason behind DarkSide’s fall now.

As posted in a popular Russian hacking forum, the DarkSide group announced the shutdown of their RaaS operations to their affiliates. The post, translated from Russian to English, read as;

“Starting from version one, we promised to speak about problems honestly and openly. A couple of hours ago, we lost access to the public part of our infrastructure, in particular to the


payment server

CDN servers

At the moment, these servers cannot be accessed via SSH, and the hosting panels have been blocked.

The hosting support service doesn’t provide any information except “at the request of law enforcement authorities.” In addition, a couple of hours after the seizure, funds from the payment server (belonging to us and our clients) were withdrawn to an unknown account.

The following actions will be taken to solve the current issue: You will be given decryption tools for all the companies that haven’t paid yet.

After that, you will be free to communicate with them wherever you want in any way you want. Contact the support service. We will withdraw the deposit to resolve the issues with all the affected users.

The approximate date of compensation is May 23 (due to the fact that the deposit is to be put on hold for 10 days on XSS).

In view of the above and due to the pressure from the US, the affiliate program is closed. Stay safe and good luck.

The landing page, servers, and other resources will be taken down within 48 hours.”

Soon after this, other popular ransomware groups like REvil and Avaddon has made a new post on their own dark websites, directing their affiliates of new rules while attacking targets. They now bar the affiliates from targeting sensitive entities like healthcare, educational institutions, and government agencies that disrupt the public and draw unwanted attention, as in DarkSide ransomware.

Further, the REvil group said the affiliates need permission before they exploit their targets. These moderation rules may force affiliates to shift to other ransomware groups or make the operators struggle, like in the case of Babuk ransomware.


Please enter your comment!
Please enter your name here