XSS Hacker Forum Prohibits Ransomware Advertising

The administration of the popular hacker forum XSS (formerly known as DaMaGeLab) has banned the advertising and sale of any ransomware programs on its site. Previously, groups like REvil, LockBit, DarkSide, Netwalker, Nefilim, and others frequently used the forum to attract new clients.

According to a statement from the XSS administrator, “The main purpose of DaMaGeLab is knowledge. We are a technical forum; we learn, research, share knowledge, and write interesting articles. The only goal of ransomware is profit. Our goals do not align. Of course, everyone needs money, but not at the expense of our core values. We are not a marketplace. There is clear degradation: newcomers read the news, see stories about insane virtual millions of dollars they’ll never get, and don’t want to learn, code, or even think. Their whole existence boils down to ‘encrypt—get $.’” (The full statement can be seen below.)

As a result, XSS has now banned ransomware affiliate programs, the rental of such malware, and the sale of lockers.

Reaction from Ransomware Groups

Soon after this announcement, representatives from several groups expressed their dissatisfaction. For example, a LockBit representative commented with just one word: “suddenly.”

A REvil representative stated that their group would be leaving the forum entirely and moving to another hacker resource—Exploit[.]in.

Changes in Ransomware Operations

It’s worth noting that REvil, one of the largest ransomware operators on the market, had recently announced upcoming changes to their operations. The hackers said they plan to stop advertising their RaaS (Ransomware-as-a-Service) platform and will work privately with a small group of known and trusted partners.

REvil also plans to stop attacking critical social sectors, including healthcare, education, and government networks in any country, as such attacks can attract unwanted attention to the group’s activities. If any client does attack a “prohibited” company or organization, the hackers intend to provide victims with a free decryption key and promise to stop working with that “partner.”

Background: Increased Law Enforcement Attention

All these developments appear to be directly related to the attention from law enforcement agencies following the recent attack by the DarkSide ransomware group on Colonial Pipeline, the largest pipeline operator in the United States. This high-profile incident drew attention at the highest levels: U.S. President Joe Biden recently stated that the U.S. government intends to disrupt the hacker group’s operations and has already held talks with Moscow.

As a result, DarkSide representatives announced that they had lost access to their servers and millions in ransom payments (although U.S. authorities do not appear to have taken any direct action yet) and reported that they were ceasing operations.

It seems that the XSS administration and REvil operators do not want to become the focus of similar law enforcement scrutiny and are trying to act preemptively.