Three Major Hack Forums Ban Ransomware Ads, Forcing Hackers Underground

The recent ransomware attack on Colonial Pipeline has caused a major stir in the cybercriminal underground. As a reminder, the DarkSide ransomware attack led to significant disruptions in the supply of gasoline, diesel, jet fuel, and other petroleum products in the United States, prompting several states to declare a state of emergency.

This high-profile incident drew attention at the highest levels: U.S. President Joe Biden announced that the U.S. government intended to disrupt the hacker group’s operations, and talks were held with Moscow. As a result, members of DarkSide claimed they lost access to their servers and multimillion-dollar ransom payments, and quickly announced they were shutting down.

The increased attention from authorities did not sit well with many in the cybercriminal community. Last week, the administrators of the XSS and Exploit hacker forums banned the advertising and sale of any ransomware on their platforms. A representative from XSS even stated that the word “ransom” has become too dangerous and toxic these days.

Now, another major hacker forum, RAID, has joined the ban on ransomware. While XSS and Exploit were used by larger hacker groups to advertise, RAID was typically a platform for up-and-coming ransomware operators.

Impact on Ransomware Groups

These developments have had a direct impact on hacker groups themselves. As mentioned earlier, DarkSide has ceased operations. Operators of REvil, currently one of the largest ransomware groups, announced they would stop advertising their Ransomware-as-a-Service (RaaS) platform and would now work only privately with a small group of known and trusted partners.

REvil also plans to stop targeting critical social sectors, including healthcare, education, and government networks in any country, as such attacks could attract unwanted attention. If any of their clients attack a “prohibited” company or organization, the hackers say they will provide the victims with a free decryption key and will cease working with that partner.

Following REvil’s lead, the developers of another major ransomware, Avaddon, announced similar restrictions and measures.

Smaller Ransomware Groups Face Bigger Problems

Smaller ransomware groups are facing even more serious challenges. Over the past weekend, at least two hacker groups, Ako (Razny) and Everest, appear to have shut down their operations entirely.

No, I noticed the extortion site for Everest ransomware go down yesterday, but I wasn’t sure if it was offline or just flaky bulletproof hosting. Yesterday I was getting some weird Google CAPTCHA stuff for AKO/RANZY, now nothing. I think we have…a thing. https://t.co/P52XaNSpXo
— Allan “Ransomware Sommelier” Liska (@uuallan) May 16, 2021

Conclusion

The crackdown on ransomware advertising by major hacker forums is forcing cybercriminals to go underground and operate more privately. While large groups are adapting by restricting their activities and partnerships, smaller groups are struggling to survive in the new environment.