The claims were published by The Record, a website launched by the firm, Recorded Future recently. It cited a post spotted by one of its analysts, Dmitry Smilyanets, from the alleged operator of the malware.
Darkside is "shutting down and getting out of ransomware" the same way that Capitol rioters truly believe the election wasn't stolen...— Jake Williams (@MalwareJake) May 14, 2021
“A few hours ago, we lost access to the public part of our infrastructure, namely: Blog. Payment server. CDN servers,” Smilyanets said in a tweet attributed to one Darksupp who is claimed to be the person behind the malware operation.
“Now these servers are unavailable via SSH, and the hosting panels are blocked."
It said the wallet in question had been active since 4 March and had received 57 different payments.
President Biden promised a US response to DarkSide yesterday and right now something very bad appears to be happening to DarkSide, which hacked the Colonial Pipeline.— Eamon Javers (@EamonJavers) May 14, 2021
Bloomberg had claimed a ransom of US$5 million was paid by Colonial while other news services like Reuters had said the company was refusing to pay up.
The US had vowed to exact revenge on the DarkSide operators as the Colonial incident affected petrol supply within the country and led to a rise in prices.
In a related development, the operators of the biggest dark web cyber crime forum have decided to ban ransomware advertisements.
In a statement issued in Russian and translated by security writer Yelisey Boguslavskiy, the XSS forum said: ""We are glad to see penetrate testers, specialists, coders, but we are not happy with lockers.
"All topics related to lockers will be deleted."
In a blog post, the security firm Intel471 said the DarkSide operators had decided to shut down their ransomware-as-a-service on 13 May.
"Operators said they would issue decryptors to all their affiliates for the targets they attacked, and promised to compensate all outstanding financial obligations by May 23, 2021," the post said.
"The group... also passed an announcement to its affiliates claiming a public portion of the group's infrastructure was disrupted by an unspecified law enforcement agency.
"The group’s name-and-shame blog, ransom collection website, and breach data content delivery network were all allegedly seized, while funds from their cryptocurrency wallets allegedly were exfiltrated."
Contacted for comment, Brett Callow, a seasoned ransomware researcher with the New Zealand-headquartered infosec firm Emsisoft, said: "All of DarkSide's sites are down expect for their payment portal. The question is whether the sites were seized by law enforcement or whether DarkSide has simply done a runner, taking their partners in crimes' cash with them. I suspect they've legged it.
"This isn't a particularly sophisticated group and their post-attack comments clearly indicated they were uncomfortable with what had happened - or, more accurately, the potential consequences.
"Sadly, though, while this may mark the end of the DarkSide operation, the individuals behind it will likely not cease to be a pain in our collective arses. They'll most likely just rebrand or go back to being affiliates for other gangs."