Russian-language cybercrime forum ‘XSS’ bans DarkSide and other ransomware groups
Cyber security researchers at Flashpoint, the Photon research team at Digital Shadows, and others have confirmed that XSS, a popular cybercriminal forum, has banned the sale of ransomware, rental of ransomware, and affiliate programs outright. of ransomware on their platform, according to an announcement published in Russian.
The move comes after global control of ransomware groups increased following a damaging attack on Colonial Pipeline that left parts of the United States starved for gas for days.
Flashpoint reported that on Thursday evening, an XSS administrator said the decision to ban ransomware activities from active groups like REvil, Babuk, Darkside, LockBit, Nefilim and Netwalker was due to “ideological differences” as well as the resulting increased media attention. of the latest high-level attacks.
The statement said that “the critical mass of nonsense, hype and noise” raised concerns among forum members about law enforcement. They cited a recent comment by Dmitry Peskov, press secretary to Russian President Vladimir Putin, that the Russian state was not involved in the attack on the colonial pipeline.
“Peskov is forced to make excuses in front of our overseas ‘friends’ – that’s a bit too much,” the statement said, according to the Flashpoint translation. The company noted that as of 7 a.m. on Friday, all of DarkSide’s forum posts had been deleted.
DarkSide would feel the pressure in other ways, according to Flashpoint, after the group posted a statement on another cybercriminal forum, Exploit, claiming that some of their tools had been disrupted.
In a now deleted post, DarkSide representatives wrote that the group had “lost access to the public portion of our infrastructure,” which included the group’s blog, their payment server, and DOS servers.
The group claimed that “funds from the payment server (ours and customers’) have been withdrawn to an unknown address.” Some security analysts have questioned whether the claims are real and whether the message was simply a ruse to reduce government control over their actions.
DarkSide’s situation was also having an effect on other ransomware gangs like REvil, which issued a new set of “guidelines” urging its members to stay away from healthcare and educational institutions as well as government organizations. . The new rules require that all new targets be agreed upon by group leaders, according to the post found by Flashpoint.
Representatives of the Avaddon ransomware have posted similar guidelines on Exploit, according to Digital Shadows. Over the past week, the FBI and the Australian Cyber Security Center have issued advisories specifically on Avaddon.
“After the closure of DarkSide, the ransomware landscape is dominated by four major collectives: REvil, LockBit, Avaddon and Conti. Flashpoint assesses with moderate confidence that well-established ransomware collectives, including REvil, LockBit, Avaddon and Conti, will continue to operate in private mode, ”the Flashpoint report added.
“Additionally, ransomware collectives will likely begin to advertise new affiliate recruitments through their own leak sites, as many cybercriminal forums, like XSS, and other similar platforms used for ransomware ads will likely refuse to advertise ransomware. ‘host their activities. “
Digital Shadows noted that DarkSide still has a recruiting thread on Exploit, although it hasn’t been updated since April.
Roger Grimes, data-based defense evangelist at KnowBe4, said the fear among security researchers is that much of this is a showcase so that the major powers involved can say something has been done.
He noted that one of the main problems with ransomware – that the people behind it cannot be stopped – remains a major problem that will lead to more attacks.
On top of that, many countries are absolute safe havens for cybercrime. Many countries have no problem with cybercriminals originating in their country as long as the criminals do not attack their own country and tacitly agree to do the government a favor, if asked, ”Grimes explained, adding that some nations use money stolen to help fund government services.
“It funds it directly because the perpetrators pay expensive local and political bribes to stay in business, and indirectly because they spend money on goods and services in the country. cybercriminals are almost celebrated by officials. ”
Due to the unwanted attention brought by the attack on a critical pipeline like Colonial, Grimes said some of those involved in DarkSide could face punishment or arrest, but countries will not stop serving as a haven for peace. cybercrime because of its profitability.
“The only lesson learned in this case is that a new border has been set. Don’t do something that causes energy shortages that bothers the government of the other nation,” Grimes said. “But will that stop them from stealing tens of billions of dollars from tens of thousands of businesses and individuals? No.”
He added that drastic measures must be taken globally to prevent countries from protecting ransomware gangs that operate with impunity, noting that the UN has already started an effort to get countries to sign something that is akin to a “digital Geneva Convention,” although it’s unlikely to be very far away, Grimes said.
Erich Kron, security awareness advocate for KnowBe4, said XSS has sent a strong signal by banning these players from their forums, but noted that until countries unite to do something about ransomware , not much will change.
“Between the problem with the pipeline, the attacks on hospitals that shut down trauma centers and emergency departments, and the loss of life suffered during the demolition of a German hospital, it is no wonder that heat be on these cybercriminals, ”Kron said.
“It has become painfully obvious that ransomware poses a serious threat to the lives and well-being of individuals, even outside of organizations that are held to ransom. Ultimately, to take a bite out of these gangs, governments around the world must come together and shut down. tear down illicit infrastructure and arrest players. We must make the risk higher than the reward if we are to stop this dangerous trend. “
Cyber security giant FireEye sent a review on Twitter Friday afternoon, saying DarkSide would shut down its service entirely and provide decryption to “companies that haven’t paid, maybe their affiliates to distribute”. The company said it “has not independently validated these claims and that other players are speculating that it could be an exit scam.”