In mid-May 2021, the administrators of XSS and Exploit, two of the most prominent Russian-language cybercriminal forums, introduced a ban on ransomware-related content. This measure prohibited sales of ransomware variants, advertising ransomware rental schemes, and recruiting for ransomware affiliate programs. The forums also deleted historical content meeting those criteria. The site administrators feared greater scrutiny from law enforcement in the wake of the ransomware group DarkSide’s attack on the Colonial Pipeline energy delivery system. They presumably hoped that restricting the number of ransomware-related posts would give their platforms greater chances of survival. The now-defunct English-language hacking forum RaidForums released an ambiguous statement initially interpreted as another ransomware ban, but the site’s administrator later claimed this had been a joke; ransomware remained permitted until the forum’s demise in April 2022. Previous Digital Shadows (now ReliaQuest) blogs have covered how the general ransomware ecosystem has changed since the Colonial Pipeline attack, but in this piece, we’d like to take a closer look at developments on the forums themselves since the reactive introduction of the ban. We’ll examine whether forum members are obeying the regulations, and see how ransomware groups’ forum representatives have adapted to the prohibition.
Initial reaction in the Russian-language scene
The vaguely-worded bans on Exploit and XSS shocked many forum users. Initially, the prohibitions were equally welcomed and derided: While some celebrated the ban, others predicted the forums would die out without the revenue from the trade that ransomware brought to the sites. In the subsequent weeks and months, confusion abounded as users and administrators tried to define the exact parameters of the ruling. Some believed a “ransomware ban” meant that posts containing any reference to ransomware would be prohibited, causing the “sticklers for the rules” to add reminders of the regulation to threads reporting ransomware news. Other users thought that the ban only extended to posts advertising ransomware executables. After a while, the forum administrators, likely exhausted from having to respond to the constant reports of rule infringements, clarified that the prohibition was intended as a commercial ban on ransomware, i.e. only affecting those threads facilitating the trade of ransomware executables, source codes, and builders or recruitment threads for ransomware affiliates. Posts merely mentioning ransomware, in the context of sharing news reports, discussing the actions of ransomware groups, and sharing links to ransomware data-leak sites, are all above board.
Plus ça change: The rise of “looking for pentesters”
So, at the time of writing, commercial ransomware posts on Exploit and XSS are banned de jure—as confirmed by the forum leadership—but they seem to be totally permissible de facto. Enterprising forum members invented a workaround whereby carefully worded posts that don’t actually mention the word “ransomware” can scrape past the censors. Cue the rise of imaginatively worded threads in which users bearing the name or imagery of a ransomware group with large forum deposits write that their “team” is “looking for pentesters” (read: ransomware operators seek to recruit affiliates). Similarly, there are now many threads in which users who have been awarded positive reputation points by these ransomware operators write that their “team of pentesters” is “seeking initial access to large companies on a regular basis”. It is highly likely that these are ransomware affiliates, who have been awarded positive reputation points by ransomware operators due to their working relationship.
However, these posts are still somewhat limited. Users can’t state outright that they’re peddling ransomware. Neither can they describe in detail the features of their executable file or the terms of their affiliate program, as they could before the ban. For example, the representative of the AvosLocker ransomware group could only disclose that they were seeking Windows, Linux, and ESXi “pentesters” for their affiliate program. It’s not hard to read between the lines though, given that this user’s profile picture bears the AvosLocker logo, their username is “Avos”, and they have a few thousand dollars deposited into the forum. Three guesses as to what they’re up to.
Overall, in practical terms, there is almost no compliance with the forum bans on commercial ransomware content on Exploit and XSS. The trade seems to be alive and well on these platforms. For those who wish to recruit affiliates or buy and sell ransomware, success is only a carefully-worded post away.
The rise and gradual decline of RAMP
In July 2021, a threat actor created the ransomware-focused Russian-language forum RAMP as a direct response to the ransomware bans on Exploit and XSS. At the time of its creation, RAMP aimed to become a ransomware-focused forum where groups could recruit new affiliates, promote ransomware-as-a-service (RaaS) offerings, and discuss anything ransomware-related. RAMP’s founder also expressed their desire to build the platform up as a repository of technical knowledge.
RAMP experienced initial success, with several big names in the ransomware scene joining and promoting the forum, including LockBit, Conti, AvosLocker, and Alphv. Unlike on Exploit and XSS, ransomware operators and affiliates on RAMP can write in great detail about exactly who and what they’re looking for in an affiliate, and can boast about the strength of their executables. This is unlikely to make much of a difference to the large and already established ransomware groups, who can rely on their reputation to entice new affiliates to sign up, but newer groups formed since the ban may struggle to openly advertise all their selling points. RAMP gave these smaller and newer groups the freedom to provide all the details of their malware and affiliate programs, and as a result, many of them flocked to the fledgling forum. Such groups would have found it difficult to stand out from the crowd on Exploit and XSS, where they could only share their basic details.
Due to these freedoms, in the first six months following RAMP’s creation, the forum was fairly successful. Sections dedicated to ransomware partnership programs saw high levels of activity, with weekly posts from large and small groups alike. Similarly, the forums sections dedicated to buying and selling initial access to corporate networks, sharing leaked databases, and trading malware also began to see healthy activity levels. It seemed that RAMP had found its niche, and was fulfilling its purpose.
However, despite these early achievements, RAMP soon started to lose its way. RAMP’s troubles began in January 2022 when its second owner was banned from Exploit and XSS after a public spat with the forum representative of the notorious ransomware group LockBit involving accusations of leaked source code and links with law enforcement. Many RAMP users quickly started to worry about their own safety. Although a respected initial access buyer and likely ransomware affiliate stepped up to the plate and took over as RAMP’s new administrator, suspicion still clouds the ransomware-focused forum, which users now openly mock on Exploit and XSS.
To make matters worse for RAMP, one of the biggest ransomware groups that had been active on the site, Conti, wound down its operations and likely splintered into several groups in May 2022, following leaks of their private chat logs and an ill-judged pro-Russia statement linked to the war in Ukraine. Perhaps Conti leaving RAMP has triggered a chain reaction: There has been a significant drop-off in forum activity since the group quit the site, and many ransomware-as-a-service (RaaS) groups have removed or stopped updating their recruitment threads. Exploit and XSS users have cottoned on to RAMP’s decline, and when RAMP’s new administrator boasted that the site had “just under 3000 users already”, one XSS user mocked RAMP’s activity level by responding “and 3 visitors a day?”.
Conti and other ransomware groups ceasing to advertise on RAMP and seemingly leaving the platform has coincided with an increase in the number of “looking for pentesters” and other likely ransomware-related threads on Exploit and XSS. We can’t say for certain, but given that there’s been no slow-down in the number of ransomware attacks, some of the ransomware groups that left RAMP have probably moved (or returned) to Exploit and XSS. It’s unclear whether this is due to the pull factor (being more comfortable on these platforms, with their larger user bases and stellar reputations), or the push factor (distrust of RAMP and its reduction in activity). It may even be a bit of both, as a negative feedback loop causes more groups to leave as there’s less incentive to stay on RAMP. If ransomware groups can still advertise and recruit on Exploit and XSS, despite the ban, it’s not clear whether RAMP will survive beyond its original purpose as a home for those fleeing the XSS and Exploit ransomware ban. We can’t yet say for sure that RAMP is down and out, and it may yet make a resurgence… But it doesn’t look good at the moment.
The rather lenient Exploit and XSS ransomware ban doesn’t appear to have had any effect on ransomware in general. Digital Shadows (now ReliaQuest)’ monitoring showed that the number and scale of ransomware attacks has certainly not wound down over the past year. In fact, it’s quite the opposite. For all the initial fanfare around the forum ransomware ban, life in the ransomware world has carried on with barely a dent; operators can recruit affiliates with a carefully worded job description, and affiliates can purchase initial accesses as easily as we can pop to the shops for milk. The openly flouted ransomware ban is the elephant in the room on Exploit and XSS. It may be that the administrators want to maintain a modicum of plausible deniability in the eyes of the law (“ransomware traded on our forum, officer? Really? We had no idea! It is banned you know!”). It’s possible that if the ransomware groups from RAMP return to Exploit and XSS, the administrators of these forums could fully relax the ban. It may be the case that the current geopolitical climate has reduced the Russian government’s interest in cracking down on Russian-language ransomware groups targeting the West. Whatever happens, you can be sure that we’ll keep our eyes peeled for any changes in the ever-interesting ransomware ecosystem.Digital Shadows (now ReliaQuest) monitors ransomware groups and cybercriminal forums on a daily basis, tracking their victims, announcements, behavior, and related chatter. If you’d like to take advantage of this intelligence, as well as countless other insights into the dark web and cybercriminal underworld, sign up for a demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here. Alternatively, you can access a constantly-updated threat intelligence library providing insight on this and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. Just sign up for a free seven-day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.