The Colonial Pipeline ransomware gang is back under a new name

DarkSide appeared to be vanquished after its Colonial Pipeline hack.
DarkSide appeared to be vanquished after its Colonial Pipeline hack.
Image: REUTERS/Hussein Waaile
We may earn a commission from links on this page.

You probably remember the ransomware attack against Colonial Pipeline: On May 7, a Russian cybergang under the name DarkSide hacked the company that operates the largest fuel pipeline in the US. The hackers knocked the pipeline offline, creating temporary gas shortages, and demanded a $5 million ransom in exchange for ending their attack.

You may also recall what happened next. The attack lit up social media and outraged Americans who waited for hours to refill their tanks. US president Joe Biden announced law enforcement would “pursue a measure to disrupt [DarkSide’s] ability to operate.” Realizing they may have bitten off more than they could chew, DarkSide released a statement on May 10 vowing to “avoid social consequences in the future.” But it was too late. By May 14, the hackers announced their servers had been knocked offline, their bitcoin had been stolen from their wallets, and they would be shutting down their operation “due to pressure from the US.” On June 7, the FBI triumphantly announced it had recovered $2.3 million from the Colonial Pipeline ransom.

The hackers are back

That victory was short-lived: The DarkSide hackers appear to be back in business under the new moniker “Black Matter.” The new operation launched about a month after DarkSide folded and has posted ads on Russian language hacking forums seeking partners who can help it access the servers of major companies in the US, UK, Canada, or Australia with revenues of $100 million or more. If Black Matter is a reincarnation of DarkSide—as cybersecurity experts suspect—it would follow a familiar pattern for hacking groups, which frequently relaunch under new names whenever they attract too much attention from authorities.

In fact, some cybersecurity experts say US law enforcement’s victory over DarkSide could have been a charade from the start. In the days after DarkSide shut down, several users on hacking forums claimed to be jilted DarkSide business partners who were owed money for their role in previous ransomware attacks but never got paid. Some speculated the narrative about US law enforcement shutting down the group was just a cover story for DarkSide to declare “bankruptcy,” at least in black market terms, and run off with whatever money they had left. The Washington Post has reported, based on four interviews with anonymous government officials, that the US had nothing to do with disrupting DarkSide.

The US can’t stop ransomware alone

Darkside’s fate underscores how little power US law enforcement has to stop ransomware hackers on its own. Whatever strategies the US employs—stealing hackers’ bitcoin, launching its own cyberattacks against the hackers’ servers—it will always be playing whack-a-mole against criminal groups that are adept at disbanding, scattering, and reconstituting themselves later.

The only lasting solution is for permissive host countries like Russia to crack down on the hackers in their jurisdictions and actually arrest the people behind the constantly shifting array of cybergangs that menace the web. So far, those countries have shown little interest in going after home-grown hackers because the cybercriminals studiously avoid targeting victims in their own countries and sometimes team up with their host governments on cyber espionage missions.

In response, the US and its European allies have tried to coordinate international pressure campaigns to get resistant governments to go after cyber gangs. Biden has personally admonished Russian president Vladimir Putin to take down Russian hackers, and recently warned that a ransomware attack could lead the US into a “real shooting war.