Examine our research from the last year in the ReliaQuest 2024 Annual Cyber-Threat Report
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
March 26, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
In mid-May 2021, the administrators of XSS and Exploit, two of the most prominent Russian-language cybercriminal forums, introduced a ban on ransomware-related content. This measure prohibited sales of ransomware variants, advertising ransomware rental schemes, and recruiting for ransomware affiliate programs. The forums also deleted historical content meeting those criteria. The site administrators feared greater scrutiny from law enforcement in the wake of the ransomware group DarkSide’s attack on the Colonial Pipeline energy delivery system. They presumably hoped that restricting the number of ransomware-related posts would give their platforms greater chances of survival. The now-defunct English-language hacking forum RaidForums released an ambiguous statement initially interpreted as another ransomware ban, but the site’s administrator later claimed this had been a joke; ransomware remained permitted until the forum’s demise in April 2022. Previous Digital Shadows (now ReliaQuest) blogs have covered how the general ransomware ecosystem has changed since the Colonial Pipeline attack, but in this piece, we’d like to take a closer look at developments on the forums themselves since the reactive introduction of the ban. We’ll examine whether forum members are obeying the regulations, and see how ransomware groups’ forum representatives have adapted to the prohibition.
The vaguely-worded bans on Exploit and XSS shocked many forum users. Initially, the prohibitions were equally welcomed and derided: While some celebrated the ban, others predicted the forums would die out without the revenue from the trade that ransomware brought to the sites. In the subsequent weeks and months, confusion abounded as users and administrators tried to define the exact parameters of the ruling. Some believed a “ransomware ban” meant that posts containing any reference to ransomware would be prohibited, causing the “sticklers for the rules” to add reminders of the regulation to threads reporting ransomware news. Other users thought that the ban only extended to posts advertising ransomware executables. After a while, the forum administrators, likely exhausted from having to respond to the constant reports of rule infringements, clarified that the prohibition was intended as a commercial ban on ransomware, i.e. only affecting those threads facilitating the trade of ransomware executables, source codes, and builders or recruitment threads for ransomware affiliates. Posts merely mentioning ransomware, in the context of sharing news reports, discussing the actions of ransomware groups, and sharing links to ransomware data-leak sites, are all above board.
So, at the time of writing, commercial ransomware posts on Exploit and XSS are banned de jure—as confirmed by the forum leadership—but they seem to be totally permissible de facto. Enterprising forum members invented a workaround whereby carefully worded posts that don’t actually mention the word “ransomware” can scrape past the censors. Cue the rise of imaginatively worded threads in which users bearing the name or imagery of a ransomware group with large forum deposits write that their “team” is “looking for pentesters” (read: ransomware operators seek to recruit affiliates). Similarly, there are now many threads in which users who have been awarded positive reputation points by these ransomware operators write that their “team of pentesters” is “seeking initial access to large companies on a regular basis”. It is highly likely that these are ransomware affiliates, who have been awarded positive reputation points by ransomware operators due to their working relationship.
However, these posts are still somewhat limited. Users can’t state outright that they’re peddling ransomware. Neither can they describe in detail the features of their executable file or the terms of their affiliate program, as they could before the ban. For example, the representative of the AvosLocker ransomware group could only disclose that they were seeking Windows, Linux, and ESXi “pentesters” for their affiliate program. It’s not hard to read between the lines though, given that this user’s profile picture bears the AvosLocker logo, their username is “Avos”, and they have a few thousand dollars deposited into the forum. Three guesses as to what they’re up to.
Overall, in practical terms, there is almost no compliance with the forum bans on commercial ransomware content on Exploit and XSS. The trade seems to be alive and well on these platforms. For those who wish to recruit affiliates or buy and sell ransomware, success is only a carefully-worded post away.
In July 2021, a threat actor created the ransomware-focused Russian-language forum RAMP as a direct response to the ransomware bans on Exploit and XSS. At the time of its creation, RAMP aimed to become a ransomware-focused forum where groups could recruit new affiliates, promote ransomware-as-a-service (RaaS) offerings, and discuss anything ransomware-related. RAMP’s founder also expressed their desire to build the platform up as a repository of technical knowledge.
RAMP experienced initial success, with several big names in the ransomware scene joining and promoting the forum, including LockBit, Conti, AvosLocker, and Alphv. Unlike on Exploit and XSS, ransomware operators and affiliates on RAMP can write in great detail about exactly who and what they’re looking for in an affiliate, and can boast about the strength of their executables. This is unlikely to make much of a difference to the large and already established ransomware groups, who can rely on their reputation to entice new affiliates to sign up, but newer groups formed since the ban may struggle to openly advertise all their selling points. RAMP gave these smaller and newer groups the freedom to provide all the details of their malware and affiliate programs, and as a result, many of them flocked to the fledgling forum. Such groups would have found it difficult to stand out from the crowd on Exploit and XSS, where they could only share their basic details.
Due to these freedoms, in the first six months following RAMP’s creation, the forum was fairly successful. Sections dedicated to ransomware partnership programs saw high levels of activity, with weekly posts from large and small groups alike. Similarly, the forums sections dedicated to buying and selling initial access to corporate networks, sharing leaked databases, and trading malware also began to see healthy activity levels. It seemed that RAMP had found its niche, and was fulfilling its purpose.
However, despite these early achievements, RAMP soon started to lose its way. RAMP’s troubles began in January 2022 when its second owner was banned from Exploit and XSS after a public spat with the forum representative of the notorious ransomware group LockBit involving accusations of leaked source code and links with law enforcement. Many RAMP users quickly started to worry about their own safety. Although a respected initial access buyer and likely ransomware affiliate stepped up to the plate and took over as RAMP’s new administrator, suspicion still clouds the ransomware-focused forum, which users now openly mock on Exploit and XSS.
To make matters worse for RAMP, one of the biggest ransomware groups that had been active on the site, Conti, wound down its operations and likely splintered into several groups in May 2022, following leaks of their private chat logs and an ill-judged pro-Russia statement linked to the war in Ukraine. Perhaps Conti leaving RAMP has triggered a chain reaction: There has been a significant drop-off in forum activity since the group quit the site, and many ransomware-as-a-service (RaaS) groups have removed or stopped updating their recruitment threads. Exploit and XSS users have cottoned on to RAMP’s decline, and when RAMP’s new administrator boasted that the site had “just under 3000 users already”, one XSS user mocked RAMP’s activity level by responding “and 3 visitors a day?”.
Conti and other ransomware groups ceasing to advertise on RAMP and seemingly leaving the platform has coincided with an increase in the number of “looking for pentesters” and other likely ransomware-related threads on Exploit and XSS. We can’t say for certain, but given that there’s been no slow-down in the number of ransomware attacks, some of the ransomware groups that left RAMP have probably moved (or returned) to Exploit and XSS. It’s unclear whether this is due to the pull factor (being more comfortable on these platforms, with their larger user bases and stellar reputations), or the push factor (distrust of RAMP and its reduction in activity). It may even be a bit of both, as a negative feedback loop causes more groups to leave as there’s less incentive to stay on RAMP. If ransomware groups can still advertise and recruit on Exploit and XSS, despite the ban, it’s not clear whether RAMP will survive beyond its original purpose as a home for those fleeing the XSS and Exploit ransomware ban. We can’t yet say for sure that RAMP is down and out, and it may yet make a resurgence… But it doesn’t look good at the moment.
The rather lenient Exploit and XSS ransomware ban doesn’t appear to have had any effect on ransomware in general. Digital Shadows (now ReliaQuest)’ monitoring showed that the number and scale of ransomware attacks has certainly not wound down over the past year. In fact, it’s quite the opposite. For all the initial fanfare around the forum ransomware ban, life in the ransomware world has carried on with barely a dent; operators can recruit affiliates with a carefully worded job description, and affiliates can purchase initial accesses as easily as we can pop to the shops for milk. The openly flouted ransomware ban is the elephant in the room on Exploit and XSS. It may be that the administrators want to maintain a modicum of plausible deniability in the eyes of the law (“ransomware traded on our forum, officer? Really? We had no idea! It is banned you know!”). It’s possible that if the ransomware groups from RAMP return to Exploit and XSS, the administrators of these forums could fully relax the ban. It may be the case that the current geopolitical climate has reduced the Russian government’s interest in cracking down on Russian-language ransomware groups targeting the West. Whatever happens, you can be sure that we’ll keep our eyes peeled for any changes in the ever-interesting ransomware ecosystem.Digital Shadows (now ReliaQuest) monitors ransomware groups and cybercriminal forums on a daily basis, tracking their victims, announcements, behavior, and related chatter. If you’d like to take advantage of this intelligence, as well as countless other insights into the dark web and cybercriminal underworld, sign up for a demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here. Alternatively, you can access a constantly-updated threat intelligence library providing insight on this and other cybercriminal-related trends that might impact your organization and allow security teams to stay ahead of the game. Just sign up for a free seven-day test drive of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here.