{
	"id": "0e148c6a-9a16-46af-bacd-62b43f0dd668",
	"created_at": "2026-04-06T00:12:24.302466Z",
	"updated_at": "2026-04-10T03:24:30.089848Z",
	"deleted_at": null,
	"sha1_hash": "63ed6b7bbe383ce1ad53b766ada49cebfe44e363",
	"title": "The moral underground? Ransomware operators retreat after Colonial Pipeline hack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 50543,
	"plain_text": "The moral underground? Ransomware operators retreat after\r\nColonial Pipeline hack\r\nBy Intel 471\r\nPublished: 2026-04-01 · Archived: 2026-04-05 17:44:37 UTC\r\nThe ransomware attack on Colonial Pipeline has caused a large amount of trouble in the United States. It looks as\r\nif that trouble has made its way back to the cybercrime underground.\r\nIntel 471 has observed numerous ransomware operators and cybercrime forums either claim their infrastructure\r\nhas been taken offline, amending their rules, or they are abandoning ransomware altogether due to the large\r\namount of negative attention directed their way over the past week.\r\nOn May 13, 2021, the operators of the DarkSide Ransomware-as-a-Service (RaaS) announced they would\r\nimmediately cease operations of the DarkSide RaaS program. Operators said they would issue decryptors to all\r\ntheir affiliates for the targets they attacked, and promised to compensate all outstanding financial obligations by\r\nMay 23, 2021. The group, which has been named as the one responsible for the Colonial Pipeline incident, also\r\npassed an announcement to its affiliates claiming a public portion of the group's infrastructure was disrupted by an\r\nunspecified law enforcement agency. The group’s name-and-shame blog, ransom collection website, and breach\r\ndata content delivery network (CDN) were all allegedly seized, while funds from their cryptocurrency wallets\r\nallegedly were exfiltrated.\r\nIntel 471 obtained the announcement, which is available below.\r\n[Image: screenshot - The note DarkSide passed to affiliates.]\r\nTranslated in English, the note reads:\r\nStarting from version one, we promised to speak about problems honestly and openly. A couple of hours ago, we\r\nlost access to the public part of our infrastructure, in particular to the\r\nblog\r\npayment server\r\nCDN servers\r\nAt the moment, these servers cannot be accessed via SSH, and the hosting panels have been blocked.\r\nThe hosting support service doesn't provide any information except \"at the request of law enforcement\r\nauthorities.\"\r\nhttps://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime\r\nPage 1 of 3\n\nIn addition, a couple of hours after the seizure, funds from the payment server (belonging to us and our clients)\r\nwere withdrawn to an unknown account.\r\nThe following actions will be taken to solve the current issue: You will be given decryption tools for all the\r\ncompanies that haven't paid yet.\r\nAfter that, you will be free to communicate with them wherever you want in any way you want. Contact the\r\nsupport service. We will withdraw the deposit to resolve the issues with all the affected users.\r\nThe approximate date of compensation is May 23 (due to the fact that the deposit is to be put on hold for 10 days\r\non XSS).\r\nIn view of the above and due to the pressure from the US, the affiliate program is closed.\r\nStay safe and good luck.\r\nThe landing page, servers, and other resources will be taken down within 48 hours.\r\nDarkSide was not the only group to make this type of announcement on May 13. Another RaaS group, Babuk,\r\nclaimed it handed over the ransomware’s source code to \"another team,\" which would continue to develop it under\r\na new brand. The group pledged to stay in business, continuing to run a victim name-and-shame blog, while also\r\nencouraging other ransomware gangs to switch to a private mode of operation. This announcement came after the\r\ngroup released the remaining portions of the data stolen from the District of Columbia’s Metropolitan Police\r\nDepartment. That archive, which contained 250 GB worth of data, allegedly included officers' and auxiliary\r\npersonnel personal data, a database filled with information on criminals, as well as information on police\r\ninformants.\r\nWhile Babuk pledged to keep its operations running, it may find it difficult to find affiliates. Shortly after the\r\nabove announcements, the administrator for one of the most popular Russian-language cybercrime forums\r\nannounced an immediate ban of all ransomware-related activity on their forum. The forum now prohibits\r\nransomware advertising, sales, ransom negotiation services and similar offers. Any listings that are currently on\r\nthe forums will be deleted. The administrator explained the move by saying ransomware operations are becoming\r\n“more and more toxic” and dangerous for the underground community.\r\nThat announcement caused a ripple effect on the forum, causing other well-known RaaS affiliates to make their\r\nown announcements regarding the status of their operations. One operator known to be behind the REvil\r\nransomware program announced they would stop promoting their malware on the forum, deleting the forum\r\nthread where the service was advertised. The operator said REvil would continue operating on another well-known Russian-language cybercrime forum, but expected that forum would soon also ban all ransomware-related\r\nactivity. If that is to occur, the operator said REvil would likely go fully private.\r\nShortly thereafter, REvil’s operator released coordinated statements with an operator behind the Avaddon RaaS\r\nprogram, announcing an amendment to the “rules” of their organizations. The updates barred affiliates from\r\ntargeting government, healthcare, educational and charity organizations regardless of their country of operation.\r\nAdditionally, all other targets need to be pre-approved by the ransomware’s operators prior to actual deployment.\r\nhttps://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime\r\nPage 2 of 3\n\nIntel 471 believes that all of these actions can be tied directly to the reaction related to the high-profile\r\nransomware attacks covered by the media this week. However, a strong caveat should be applied to these\r\ndevelopments: it’s likely that these ransomware operators are trying to retreat from the spotlight more than\r\nsuddenly discovering the error of their ways. A number of the operators will most likely operate in their own\r\nclosed-knit groups, resurfacing under new names and updated ransomware variants. Additionally, the operators\r\nwill have to find a new way to “wash” the cryptocurrency they earn from ransoms. Intel 471 has observed that\r\nBitMix, a popular cryptocurrency mixing service used by Avaddon, DarkSide and REvil has allegedly ceased\r\noperations. Several apparent customers of the service reported they were unable to access BitMix in the last week.\r\nFurthermore, there will be ransomware operators that continue with their own operations despite all of this week’s\r\nattention. On the same day as the coordinated announcements from REvil and Avaddon: Ireland's health service\r\noperator had to shut down all of its IT systems due to a \"significant\" ransomware attack.\r\nIntel 471 will continue to watch and report on further developments as ransomware operators adjust their\r\nenterprises.\r\nSource: https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime\r\nhttps://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime"
	],
	"report_names": [
		"darkside-ransomware-shut-down-revil-avaddon-cybercrime"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434344,
	"ts_updated_at": 1775791470,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/63ed6b7bbe383ce1ad53b766ada49cebfe44e363.pdf",
		"text": "https://archive.orkl.eu/63ed6b7bbe383ce1ad53b766ada49cebfe44e363.txt",
		"img": "https://archive.orkl.eu/63ed6b7bbe383ce1ad53b766ada49cebfe44e363.jpg"
	}
}