A popular cybercrime forum claims to have banned all ransomware activity due to ideological differences and concerns over the amount of publicity that high-profile incidents are generating.
Russian language forum XSS has contributed to the success of Ransomware as a Service (RaaS) groups like Netfilim, REvil, DarkSide and Babuk, by providing a platform to recruit new affiliates, according to Flashpoint.
However, an administrator post late last week claimed that all sales of ransomware and affiliate activity would be prohibited from the site, the threat intelligence vendor reported.
The activity of groups like DarkSide, which recently caused a furore after disrupting fuel supplies on the US East Coast, are generating “too much PR,” escalating geopolitical and law enforcement risk and building a “critical mass of nonsense, hype, and noise,” according to the post.
The geopolitical aspect appears significant: the post apparently argues that when President Putin’s press secretary has to deny Kremlin involvement in attacks, “this is a bit too much.”
Russian cyber-criminals have always been sheltered by the state on the unwritten proviso that attacks are aimed at the country’s strategic foes, such as European and North American countries.
XSS’s decision would seem to suggest some in the community are becoming anxious at the level of scrutiny from the US and other governments that such attacks are drawing.
Flashpoint also claimed that DarkSide released a now-deleted statement claiming that its data leak blog, payment server and DOS servers have been blocked and funds from the payment servers were “withdrawn to an unknown address.”
However, according to a statement from Digital Shadows, forum members have questioned the authenticity of the post.
In the meantime, it’s unlikely that XSS’s decision will impact the ransomware industry.
“Flashpoint assesses with moderate confidence that well-established ransomware collectives — including REvil, LockBit, Avaddon, and Conti — will continue to operate in private mode,” the vendor said.
“Additionally, ransomware collectives will likely begin to advertise recruitment for new affiliates via their own leak sites since many cyber-criminal forums, like XSS, and other similar platforms used for ransomware advertisements will now likely refuse to host their activities.”