The criminal group behind Darkside shut down its RaaS (Ransomware-as-a-Service) service, cut off related resources and promised to issue decryptors to partners for the affected companies. The corresponding announcement was published on one of the hacker forums after the owners of the malware lost access to the open part of their infrastructure and lost the cryptocurrency received from the victims of the infection. As an additional reason for the closure of the affiliate program, the owners of Darkside called pressure from the American authorities. Following an attack on the Colonial Pipeline that disrupted the supply of gas to half of the US East Coast, President Joe Biden pledged that the barbarians would not go unpunished. The FBI has already launched an investigation, and, judging by the entry of a representative of the Darkside service, access to the hosting was blocked at the filing of law enforcement agencies. There has not yet been an official statement from the authorities about this. It is possible that the threat of persecution is just a cover; the attackers decided to simply run away with their partners' money so as not to share it. Such fraud is known in the criminal environment as an exit scam.
Be that as it may, the site on which the Darkside operators published the data stolen from the attacked companies is currently not available either. Their payment server on the Tor network at the end of last week still worked - if it seized the guardians of law and order, they would probably have decided to give the victims the opportunity to get the decryption key. By the way, a free analogue of the descriptor for Darkside is available to everyone in need since January of this year, it can be downloaded from the website of the information security company Bitdefender. The hype in the press over the devastating attack on the Colonial Pipeline discouraged everyone involved with the spread of ransomware. The largest underground forums XSS and Exploit began to clean their pages from advertising such malware and related services, deciding that such close attention to this topic could harm them. Operators Raas-service REvil and Avaddon, Darkside closest competitors, jointly announced on Exploit the introduction of restrictions on the target, prohibiting partners to attack hospitals, schools and government agencies. They also reduced the number of affiliate programs and decided to work only with a narrow circle of trusted associates. Security experts expect that after the leading RaaS services go into the shadows, their orphaned clients will continue their malicious operations, but already as part of small groups, under new names and with updated versions of ransomware. They will also have to change their cryptocurrency laundering service provider - a mixer: the popular cybercriminal service BitMix, which was used by the partners of Darkside, REvil and Avaddon, fell out of access and seems to have ceased to exist.
![image1darkside_disrupted.png](https://www.anti-malware.ru/files/image1darkside_disrupted.png)
Be that as it may, the site on which the Darkside operators published the data stolen from the attacked companies is currently not available either. Their payment server on the Tor network at the end of last week still worked - if it seized the guardians of law and order, they would probably have decided to give the victims the opportunity to get the decryption key. By the way, a free analogue of the descriptor for Darkside is available to everyone in need since January of this year, it can be downloaded from the website of the information security company Bitdefender. The hype in the press over the devastating attack on the Colonial Pipeline discouraged everyone involved with the spread of ransomware. The largest underground forums XSS and Exploit began to clean their pages from advertising such malware and related services, deciding that such close attention to this topic could harm them. Operators Raas-service REvil and Avaddon, Darkside closest competitors, jointly announced on Exploit the introduction of restrictions on the target, prohibiting partners to attack hospitals, schools and government agencies. They also reduced the number of affiliate programs and decided to work only with a narrow circle of trusted associates. Security experts expect that after the leading RaaS services go into the shadows, their orphaned clients will continue their malicious operations, but already as part of small groups, under new names and with updated versions of ransomware. They will also have to change their cryptocurrency laundering service provider - a mixer: the popular cybercriminal service BitMix, which was used by the partners of Darkside, REvil and Avaddon, fell out of access and seems to have ceased to exist.