Dark Web Recruitment: How Ransomware Groups Hire Cybercriminal Talent

As we observed in a recent blog on ransomware franchising, ransomware groups often behave like legitimate companies. Large or small, each group needs a certain number of capable employees to cover all the functions of a ransomware operation. A group may comprise multiple members specializing in malware development, reconnaissance, payload delivery, encryption, negotiation, cashing out, strategy, and operations management. Just like their non-criminal counterparts, effective and successful ransomware groups seek to hire the best talent for the job. After all, there’s no point in having the quickest ransomware executable if your team can’t deliver it to a victim’s network. Unlike legitimate companies, however, ransomware groups can’t just turn to professional networking and recruitment platforms to find cybercriminal talent. So how do ransomware groups navigate recruitment in a world where secrecy and anonymity are key? In this blog, the first in a series on cybercriminal recruitment, we’ll take a look at the various ways groups mine the threat actor talent pool via their own websites and cybercriminal forums. 

Recruitment via the ransomware website

The most obvious way ransomware groups recruit is via their own public-facing data-leak sites (DLS), where they publish news of their victims and list their contact details. This is especially true for groups that practice double extortion (stealing sensitive data in addition to encrypting victims’ systems). Rather than a dedicated advert listing the conditions and benefits of joining, the group may have a simple “Contact Us” form on the site for applicants to provide their contact details and the cybercriminal equivalent of a cover letter. The thinking here is probably that a successful group doesn’t need to sell itself to encourage new people to join: It can attract talent through its reputation alone. Further interaction takes place at the group’s discretion. If the group likes the applicant, it’ll move them to the next stage (likely an anonymous interview). Unsuccessful applicants shouldn’t expect to get any “constructive criticism” as feedback. We’ll call you.

Alternatively, the DLS may not have any indication of how to join the group, and might only provide contact details for encrypted email services or instant messengers. Not listing a specific application process may serve as a pre-interview test, eliminating those greener applicants who need things spelled out for them. Experienced partners will know exactly what to do, and experience in the ransomware game is just as sought after as in any other industry.

These discreet methods are all well and good if the applicant is already interested in the group and simply wants to initiate contact. But there are good reasons for groups to be a bit more explicit. Firstly, more detail is important when trying to attract potential applicants who are just testing the water and looking to break into the scene. Secondly, groups need to stand out to attract experienced affiliates. The ransomware game is a seller’s market: It’s very competitive, with more than 100 groups active over the past year.

Some groups lay out the job description, working conditions and benefits, and company history. Market leader LockBit takes this approach. Its 2,376-word “Affiliate rules” page has been a mainstay of its site for years and has been frequently updated as the group has developed and improved its ransomware as a service (RaaS) affiliate program. At the time of writing, the page describes the LockBit ransomware executable, the group’s targeting methodology, its rules and prerequisites, and pay benefits for affiliates (currently a cool 80% of a collected ransom), then provides specific instructions for creating an application. This approach certainly isn’t unique to LockBit; the Petya and Metya ransomware group advertised its then-new RaaS program in a similar manner in 2016.

Top of funnel: How to reach the DLS?

We’ve covered the various approaches groups take once a potential applicant has landed on their website and gotten the group’s contact details. But how do they attract website visitors in the first place? After all, their websites are normally hosted on a .onion URL that search engines don’t index, and Googling “ransomware jobs near me” probably isn’t going to give helpful results (I tried). This is where a group’s presence on a cybercriminal forum comes in. 
Many ransomware groups have a strong and explicit presence on these forums. The forum accounts’ profiles use the groups’ names as their aliases and the groups’ logos as their profile pictures. The representative may maintain pinned threads on these forums that contain a description of the group’s RaaS program and benefits for partners, along with contact information. These may be targeted at specific roles (e.g. “our team needs a new back-end developer”) or they may simply provide a brief description of the group without specifying the roles they’re looking to take on. However, as we mentioned in our blog on how forum life has adapted to the 2021 ransomware content ban, not all forums allow the same level of detail in a RaaS advertisement thread. On the high-profile Russian-language forums Exploit and XSS, for example, groups can only write that they are “looking for pentesters” and must refrain from mentioning the word “ransomware”. Yet on the ransomware-friendly forum RAMP, groups can give as much detail as they like. Take a look at how the AvosLocker ransomware group’s RaaS advert differs between XSS and RAMP.

Cybercriminal forum threads also allow for current or former affiliates to provide reviews of working with the groups. A positive review from a credible user almost certainly boosts a group’s profile. A negative review will almost certainly cause interested parties to distrust it. Even worse, a disgruntled affiliate could accuse the group of not paying its affiliates and initiate a claim against the group’s representative in the forum’s arbitration section. If the group loses the case, as we saw with the now-defunct group DarkSide, it would be a major blow to the group’s reputation and it would lose most, or all, of its forum deposit, depending on how much money it owed to affiliates.

Some groups are so well-known on forums that they may not even need a dedicated advertisement thread. LockBit chooses to simply maintain a forum presence and rely on its reputation alone; aspiring affiliates likely send the representative a forum private message. While LockBit doesn’t have an official forum advertisement for its RaaS program, it does conduct some interesting marketing. In September 2022 it promised to pay USD 1,000 to any cybercriminal forum users who got a tattoo of the LockBit group logo. Surprisingly, at least three users did. Talk about brand awareness… Only big, established groups can take this style of approach; smaller and newer groups must recruit more explicitly and build a reputation within the cybercriminal community first.

The forum representatives of LockBit, Alphv, and AvosLocker are clearly linked to their groups, either by using the group name or logo in their profile. But it appears that some groups may have taken a more anonymous approach to sharing their DLS address by asking “does anyone know the URL for X group” in a thread called “ransomware data leak sites” on one cybercriminal forum. Other forum users suspect that these individuals actually belong to the groups in question. Maybe the group’s representatives are trying a sort of undercover marketing campaign to generate a buzz about their group and get the cybercriminal community searching for their DLS.

Recruitee turned recruiter: Affiliates need to recruit too

Regardless of whether these adverts appear on forums or a group’s DLS, these types of advertisements and marketing come from ransomware operators and are primarily aimed at ransomware affiliates. An affiliate may be one highly skilled individual operating as a “one man band”. They can cover everything from initial access, delivery, encryption, and exfiltration, but just need a trusted ransomware executable to operate. However, many affiliates are actually teams comprising multiple members with specific roles. As the affiliate gets more successful, they’ll take on new team members to get through more attacks. So how do these affiliate teams recruit?

Like operators, they turn to cybercriminal forums. It appears that the component most sought after by affiliate teams is initial access to corporate networks. Traditionally, this is simply purchased ad hoc, with affiliates opportunistically picking from the initial access offerings listed by brokers on the most prominent cybercriminal forums. However, we’ve noticed in the past year or so that teams seem to be looking for “in-house” initial access providers, essentially getting rid of the brokerage aspect and dealing with the provider directly. In this way, they have more control over the companies they target. They can direct the provider to target a specific company of their choice, rather than having to rely on winning an auction process for an access listing that pops up on a forum. Affiliates may choose to pay their access providers a flat fee per access or a percentage of the profits generated from ransoming the victim. 

Alternatively, instead of creating a job advertisement on a forum, affiliates can turn to the ready-made solutions offered by the service providers themselves. Forums’ Freelance and Work sections abound with threads in which users offer up their skills. There are certainly some niche services being offered… Recently, we saw one user advertising business and financial analysis services in which they provide an analysis dossier assessing how much a victim would actually be able to pay based on its reported revenues and exposed copies of departmental budgets. This enables ransomware groups to waste less time targeting companies who can’t afford to pay a ransom, and gives them more knowledge to leverage during the negotiation phase. 

Another interesting listing saw a user offering up their linguistic services to American and Chinese affiliate teams wishing to work with high-profile Russian-speaking ransomware groups that explicitly state they only work with Russian speakers. The user would work as a sort of in-house liaison officer so that the affiliate would be allowed to work with the operator.

Know thy enemy

By tracking which services and roles ransomware groups are trying to recruit, Digital Shadows (now ReliaQuest) keeps track of ransomware market growth, trends, and capabilities. If a group goes on a hiring spree, we could expect them to increase their rate or size of attacks. Digital Shadows (now ReliaQuest) monitors ransomware groups and cybercriminal forums on a daily basis, tracking their victims, announcements, behavior, and related chatter. If you’d like to take advantage of this intelligence, as well as countless other insights into the dark web and cybercriminal underworld, sign up for a demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here. Alternatively, you can access a constantly-updated threat intelligence library providing insight on this and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. Just sign up for a free seven-day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.