Following the disruptive cyberattack on Colonial Pipeline, ransomware has drawn great media attention. Soon after DarkSide made it to the news for this attack, the gang lost access to its servers shortly after security personnel assured of the takedown. Consequently, cybercrime forums, considering how ransomware can draw attention, put a ban on ransomware-related ads or discussions.
Cybercrime Forums Ban Ransomware-Related Stuff
Reportedly, right after DarkSide announced its departure following the loss of its servers, the Russian cybercrime forum XSS has put a ban on all ransomware-related discussions.
According to the post from the XSS admin, discovered by Advanced Intel’s Yelisey Boguslavskiy, the XSS admin announced a complete ban on RaaS related topics. Also, the forum admin decided to remove all RaaS related threads.
Some good news ‼️
The admin of (likely) largest Russian-speaking forum – a hub for almost all top #RaaS just announced that #RaaS on the forum is prohibited since this day
The ‼️ deletion ‼️ of all ransomware thread is announced to start now
This makes RaaS life well harder pic.twitter.com/L67bNALLyi
— Yelisey Boguslavskiy (@y_advintel) May 13, 2021
Translating from the post the main reason behind this decision, Boguslavskiy tweeted,
The full admin statement says:
"Ransomware became political. Peskov (Putin's press secretary) is forced to make excuses to our overseas "friends" … It is now equated with unpleasant things – geopolitics, extortion, government hacking. This word has become dangerous and toxic."
— Yelisey Boguslavskiy (@y_advintel) May 14, 2021
The decision largely remained unwelcomed. And, soon after, the REvil ransomware gang announced their departure from the forum.
#REvil already responded by announcing that they are leaving the forum
Their deposit was withdrawn earlier pic.twitter.com/UUTZkpQupk
— Yelisey Boguslavskiy (@y_advintel) May 14, 2021
While that was enough to cause a stir, another forum, Exploit, made a similar announcement shortly. Something REvil already hinted in their departure note.
As noticed, Exploit admin also decided to ban RaaS related ads. They further explained to remove all ransomware affiliate programs and all previous threads from the forum.
Another one bites the dust – forum Exploit bans #ransomware pic.twitter.com/d4nknItz7E
— ?????? ?????????? (@ddd1ms) May 14, 2021
Joining these two cybercrime forums, Raid Forums also announced banning ransomware-related posts.
Same on Raid Forums… pic.twitter.com/RvqdM5bnQC
— Bank Security (@Bank_Security) May 14, 2021
Perhaps, the forums took these steps to avoid drawing unsolicited attention from the US LEAs following the Colonial Pipeline fiasco.
What Next?
While it remains unclear how RaaS operators will now manage promotions, what’s evident is a shift in their target list.
For instance, Avaddon and REvil, two disruptive ransomware gangs, have announced to become somewhat ethical (pun intended) in targeting victims.
Avaddon announced not to target healthcare, educational, and social infrastructure.
We got the chain effect⚡️- RaaS are now struggling to not get banned from Exploit – #Avaddon ransomware declares that they will not target healthcare, education, and social infrastructure⚕️
Avaddon targetted global entities, including healthcare and COVID-19 vaccine developers pic.twitter.com/gdjTV2tdYn
— Yelisey Boguslavskiy (@y_advintel) May 14, 2021
Whereas, REvil, also announced to refrain from targeting social and government sectors.
These announcements came shortly after DarkSide admitted the loss of control over its infrastructure.
However, if the trend on cybercrime forums to prohibit ransomware promotions continues, RaaS operations may face trouble continuing their activities.
