Multiple ransomware groups claimed they were shutting down or scaling back operations on Friday as the U.S. government ramped up pressure while tech companies, cryptocurrency exchanges and others worried about getting caught in the crossfire.
DarkSide, the Russian-speaking gang blamed by the FBI for a hacking attack that led to a six-day fuel pipeline shutdown, said it was going out of business after losing access to some of its servers.
Another major criminal gang said it would forbid encryption attacks on critical infrastructure, and forums where such gangs recruit partners said they were banning ads related to ransomware, analysts said.
U.S. President Joe Biden repeatedly warned the gangs and major host country Russia about consequences for a ransomware attack that prompted Colonial Pipeline to shut down the main supply line to the East Coast.
That line was resuming full operation, but many pumps remain empty at stations in some states after days of panic buying.
Investigators said DarkSide provided the encryption software that a criminal affiliate used to render Colonial’s internal files inaccessible. It planned to split any ransom to recover that data with the affiliate, who the investigators have identified as another Russian criminal.
DarkSide claimed that some of its money had been transferred to new electronic wallets, though rivals and some U.S. experts warned the group could be using the uproar as an excuse to cash out. Ransomware gangs commonly change names and membership.
It was not immediately clear whether the professed retreat was due to U.S. diplomatic pressure, legal demands on technology providers or even government-backed hacking.
The FBI, Justice Department and White House National Security Council all declined to comment.
“Ransomware criminals are clearly getting nervous with all the heat coming down from U.S. government and industry,” said Dmitri Alperovitch, who co-founded security provider CrowdStrike before starting thinktank Silverado Policy Accelerator.
If it continues, the moves would reverse a trend in the past two years of the gangs targeting more vital companies that are likely to pay to resume operations, or to have insurance coverage that will pay for them.
“Many will likely try to lie low for a few months in hopes that it will pass,” Alperovitch said. “The key will be to keep up the pressure on both the criminal gangs themselves as well as the states like Russia that offer them safe haven from prosecution.”
Earlier this year, U.S. authorities cited the ransomware surge as a national security threat and noted some overlaps with foreign government interests. The Justice Department established a ransomware task force, and a public-private study panel issued recommendations including greater regulation of cryptocurrency.