Russian-language hacking forum bans ransomware-related ads
XSS forum, one of the two most popular Russian-language forums with sites on clearnet and Tor, has announced that it is now banning ransomware-related ads.
No more ransom! Friends, on our forum lockers (Ransomware) and everything connected with them are prohibited . Namely:
- Ransomware affiliate programs;
- Ransomware rental;
- sale of lockers (ransomware software);
All topics matching this rule will be removed. Fortunately, only a few of them were found.
In explaining his reasons, Admin stated, in part:
Too much PR. Lockers (ransom) have accumulated a critical mass of nonsense, nonsense, hype, noise. When you meet the ” Ransomvarny negotiator ” Profession , you understand that you are in the looking glass or just crazy. Moreover, 90% of this madness was created artificially, feeding this hype. Those who make good money on this noise (exchanges, insurance, intermediaries, media, etc.)
Later, in response to a comment by a forum member, Admin further elaborated:
You can’t just go flying on an airplane without studying aeronautics and piloting =) Activities without ideology, without studying the hardware (coding, reverse, administration, baghunting) and aimed only at earning money, very quickly end in blunders or troubles. Without a technical background, you cannot immediately go into earnings. That is why, in order to teach people, we gathered here and Damaga was restored. This is not about “learning for the sake of learning”, but about building the right sequence and priorities. I would like to restore a normal healthy state of affairs.
Responding to the announcement, some members were supportive, others pointed out it was likely to have little impact, as some will just go to Exploit.in and others will just communicate via other platforms. Within minutes of the announcement, “Unknown” of Sodinokibi (REvil) posted:
In connection with the above, we are leaving this forum. Temporarily, our topic will be on exploit.in (of course, everything will be deleted there soon). After removing and there, as well as the prohibitions of lockers, we go into private. According to our calculations, it will take about a week.
It seems likely that the ban’s announcement was at least partly inspired by the Colonial Pipeline incident, and DarkSide’s use of the forum to recruit affiliates and promote its RaaS operations. But the Colonial Pipeline incident wasn’t the only headline-grabbing ransomware incident this past week. And in dumping 250 GB of data from the Metropolitan Police D.C., Babuk commented:
Who only break the industry, then turn on the back speed, they like to open arbitrage on each other on the forums, well, huge sums that they did not even receive, ascribe loud attacks that do not exist, you yourself know who makes these high-profile attacks, the industry has changed, and we we urge all colleagues to accept these changes, you either accept them or leave this business
Having previously announced that they were changing their operations and would no longer encrypt data, Babuk now announced what sounds like another change in plans:
Regarding our old promises regarding the source code of the babuk. I handed over the source code to another team, which will continue to develop the product under a different brand, I remain the only owner of the domain and blog, my service will continue to develop, we are not going to close and change the policy of our work, we advise our colleagues to leave public RaaS.
The updates barred affiliates from targeting government, healthcare, educational and charity organizations regardless of their country of operation. Additionally, all other targets need to be pre-approved by the ransomware’s operators prior to actual deployment.