Servers for Darkside were taken down by unknown actors Friday, a week after the cyber extortionist forced the shutdown of a large US oil pipeline in a ransomware scam, a US cyber security firm said.

Recorded Future, the security firm, said in a post that the allegedly Russia-based Darkside had admitted in a web post that it lost access to certain servers used for its web blog and for payments.

Accessed via TOR on the dark web, the Darkside site address showed a notice saying it could not be found.

Recorded Future threat intelligence analyst Dmitry Smilyanets said he found a Russian language comment on a ransomware website ostensibly from "Darksupp", described as the operator of Darkside.

"A few hours ago, we lost access to the public part of our infrastructure, namely: Blog. Payment server. DOS servers," Darksupp wrote.

"The Darkside operator also reported that cryptocurrency funds were also withdrawn from the gang's payment server, which was hosting ransom payments made by victims," said Recorded Future.

After a cyber attack, Colonial said it was moving toward a partial reopening of its pipeline system -- the largest fuel network between Texas and New York
After a cyber attack, Colonial said it was moving toward a partial reopening of its pipeline system -- the largest fuel network between Texas and New York AFP / JIM WATSON

While there was no evidence of who might have forced down Darkside's website, the twitter account of a US military cyber warfare group, the 780th Military Intelligence Brigade, retweeted the Recorded Future report on Friday.

Darkside, which only surfaced online late last year, was behind the attack on Colonial Pipeline that forced the shutdown of its network shipping gasoline, diesel and aviation fuel across much of the eastern half of the United States.

After Darkside froze Colonial's computer systems last week and demanded millions in ransom to unlock them, Colonial shut down its pipeline, sparking fuel shortages and long lines at gas stations across much of the southeast.

pmh/dw