Russian-language hacking forum bans ransomware-related ads

XSS forum, one of the two most popular Russian-language forums with sites on clearnet and Tor, has announced that it is now banning ransomware-related ads.

No more ransom ads on XSS

No more ransom! Friends, on our forum lockers (Ransomware) and everything connected with them are prohibited . Namely:

  • Ransomware affiliate programs;
  • Ransomware rental;
  • sale of lockers (ransomware software);

All topics matching this rule will be removed. Fortunately, only a few of them were found.

In explaining his reasons, Admin stated, in part:

Too much PR. Lockers (ransom) have accumulated a critical mass of nonsense, nonsense, hype, noise. When you meet the ” Ransomvarny negotiator ” Profession , you understand that you are in the looking glass or just crazy. Moreover, 90% of this madness was created artificially, feeding this hype. Those who make good money on this noise (exchanges, insurance, intermediaries, media, etc.)

Later, in response to a comment by a forum member, Admin further elaborated:

You can’t just go flying on an airplane without studying aeronautics and piloting =) Activities without ideology, without studying the hardware (coding, reverse, administration, baghunting) and aimed only at earning money, very quickly end in blunders or troubles. Without a technical background, you cannot immediately go into earnings. That is why, in order to teach people, we gathered here and Damaga was restored. This is not about “learning for the sake of learning”, but about building the right sequence and priorities. I would like to restore a normal healthy state of affairs.

Responding to the announcement, some members were supportive, others pointed out it was likely to have little impact, as some will just go to and others will just communicate via other platforms.  Within minutes of the announcement, “Unknown” of Sodinokibi (REvil) posted:

Sodinokibi Leaving XSS

In connection with the above, we are leaving this forum. Temporarily, our topic will be on (of course, everything will be deleted there soon). After removing and there, as well as the prohibitions of lockers, we go into private. According to our calculations, it will take about a week.

It seems likely that the ban’s announcement was at least partly inspired by the Colonial Pipeline incident, and DarkSide’s use of the forum to recruit affiliates and promote its RaaS operations. But the Colonial Pipeline incident wasn’t the only headline-grabbing ransomware incident this past week.  And in dumping 250 GB of data from the Metropolitan Police D.C., Babuk commented:

Who only break the industry, then turn on the back speed, they like to open arbitrage on each other on the forums, well, huge sums that they did not even receive, ascribe loud attacks that do not exist, you yourself know who makes these high-profile attacks, the industry has changed, and we we urge all colleagues to accept these changes, you either accept them or leave this business

Having previously announced that they were changing their operations and would no longer encrypt data, Babuk now announced what sounds like another change in plans:

Regarding our old promises regarding the source code of the babuk. I handed over the source code to another team, which will continue to develop the product under a different brand, I remain the only owner of the domain and blog, my service will continue to develop, we are not going to close and change the policy of our work, we advise our colleagues to leave public RaaS.

So changes are coming, and quickly, but those changes may only mean less public visibility and not less criminal activity or ransomware development.
Update: Intel471 managed to get a copy of DarkSide’s message to affiliates. Read it all hereThey also noted an announcement from REvil’s operator in conjunction with Avaddon, announcing an amendment to the “rules” of their organizations. According to Intel471,
The updates barred affiliates from targeting government, healthcare, educational and charity organizations regardless of their country of operation. Additionally, all other targets need to be pre-approved by the ransomware’s operators prior to actual deployment.
All that said, Intel471 seems to agree with me that this may merely indicate a retreat from the spotlight or public spaces and not a real closing down of criminal activity.

About the author: Dissent

Comments are closed.