To preserve their business models, ransomware groups may be trying to take a step back from the spotlight after high profile attacks on the Colonial Pipeline Co. and Ireland's national health service have drawn global attention and condemnation, The Wall Street Journal reported.
In early May, the DarkSide ransomware gang hit Colonial Pipeline with a cyberattack, forcing the company to shut down a main pipeline that supplies gasoline and diesel fuel to the U.S. East Coast for six days.
Colonial Pipeline paid the criminal gang $5 million May 13 to put an end to the attack, and, shortly after, DarkSide told associates who use its malware that it was disbanding because its operational infrastructure had been shut down, according to the Journal. The shutdown came after President Joe Biden and the White House contacted the Russian government about taking action against such criminal groups.
Ireland's national health service took its computer systems offline May 14 after experiencing a "significant" ransomware attack by the Conti ransomware gang; the health service still is crippled by the attack, which has disrupted care throughout the country. Conti gave Ireland a tool last week to help reverse the damage but still threatened to leak stolen data unless the country paid a ransom, according to the May 25 report.
The backpedaling of both the DarkSide and Conti gangs show how these cybercriminal groups prefer to operate in the shadows, only using publicity when it benefits them in the form of extortion schemes. The groups now are trying to avoid scrutiny after these high-profile attacks generated law enforcement pushback.
"If they're quietly forcing C-suite executives to hand over large checks, that’s one thing," Ciaran Martin, former head British government’s cybersecurity agency, told the Journal. "If they’re causing huge problems for the U.S. president and EU member states, that’s quite a different problem."
In the past, some ransomware groups have offered decryptors to victims like hospitals or nonprofits, said Brett Callow, a threat analyst at cyber firm Emsisoft, adding that it is "possible that they're concerned with the well-being of others or, more likely, it was an act of self-preservation. Attacks of this scale, which are so high-profile, mean that governments really can’t be seen as ignoring this anymore."