Russian Cybercrime Forum “XSS” Bans DarkSide and Other Ransomware Groups


Flashpoint cybersecurity researchers, Digital Shadows’ Photon research team, and others have confirmed that XSS, a popular cybercriminal forum, has banned the sale of ransomware, rental of ransomware, and affiliate programs from ransomware on their platform, according to an announcement posted in Russian.

The move comes after the global scrutiny of ransomware groups increased following a damaging attack on Colonial Pipeline that left parts of the United States with gas shortages for days.

Flashpoint reported that on Thursday evening, an XSS administrator said the decision to ban ransomware activities from active groups like REvil, Babuk, Darkside, LockBit, Nefilim and Netwalker was due to “ideological differences” as well as increased media attention resulting from recent high-level attacks.

The statement said the “critical mass of nonsense, hype and noise” raised concerns among forum members about law enforcement. They cited a recent comment by Dmitry Peskov, press secretary to Russian President Vladimir Putin, that the Russian state was not involved in the attack on the Colonial Pipeline.

“Peskov is forced to make excuses in front of our ‘friends’ abroad – that’s a bit too much,” the statement said, according to the Flashpoint translation. The company noted that at 7 a.m. on Friday all of DarkSide’s forum posts had been deleted.

DarkSide would feel the pressure in other ways, according to Flashpoint, after the group posted a statement on another cybercriminal forum, Exploit, claiming that some of their tools had been disrupted.

In a now-deleted post, DarkSide representatives wrote that the group had “lost access to the public part of our infrastructure,” which included the group’s blog, its payment server, and its DOS servers.

The group claimed that “funds from the payment server (ours and customers’) have been withdrawn to an unknown address.” Some security analysts have questioned whether the claims are real and whether the message was just a ruse to reduce government scrutiny of their actions.

DarkSide’s situation was also having an effect on other ransomware gangs like REvil, which released a new set of “guidelines” urging its members to stay away from healthcare and educational institutions as well as government organizations. . The new rules require that all new targets be accepted by group leaders, according to the post found by Flashpoint.

Representatives of the Avaddon ransomware have posted similar guidelines on Exploit, according to Digital Shadows. Last week, the FBI and the Australian Cyber ​​Security Center issued notices specifically relating to Avaddon.

“After the closure of DarkSide, the ransomware landscape is dominated by four major collectives: REvil, LockBit, Avaddon and Conti. Flashpoint assesses with moderate confidence that well-established ransomware collectives, including REvil, LockBit, Avaddon and Conti, will continue to operate in private mode, ”the Flashpoint report added.

“Additionally, ransomware collectives will likely start announcing new affiliate recruitments through their own leak sites, as many cybercriminal forums, like XSS, and other similar platforms used for ransomware ads will now likely refuse. to host their activities. “

Digital Shadows noted that DarkSide still has a recruiting thread on Exploit, although it hasn’t been updated since April.

Roger Grimes, data-driven defense evangelist at KnowBe4, said the fear among security researchers is that much of this is just a facade for the major powers involved to say something was done.

He noted that one of the biggest issues with ransomware – that the people behind it can’t be stopped – is still a major issue that will lead to more attacks.

“On top of that, many countries are absolutely safe havens for cybercrime. Many countries have no problem with cybercriminals from their countries as long as the criminals do not attack their own country and tacitly agree to do a favor to the nation. government, if asked, ”Grimes explained, adding that some countries use stolen money to help fund government services.

“It funds it directly because the perpetrators pay expensive local and political bribes to stay in business, and indirectly because they spend the money on goods and services in the country. In many countries, cybercriminals are almost celebrated by the authorities.

Due to the unwanted attention generated by the attack on a critical pipeline like Colonial, Grimes said some of those involved in DarkSide could face punishment or arrest, but countries will not stop serving as havens for cybercrime because of its profitability.

“The only lesson learned in this case is that a new border has been set. Don’t do something that causes energy shortages that upset the government of the other nation,” Grimes said. “But will that stop them from stealing tens of billions of dollars from tens of thousands of businesses and individuals? No.”

He added that drastic measures must be taken globally to prevent countries from protecting ransomware gangs that operate with impunity, noting that the UN has already started pushing countries to sign. something akin to a “digital Geneva Convention,” although it is unlikely to go very far, said Grimes.

KnowBe4’s security awareness advocate Erich Kron said XSS has sent a strong signal by banning these players from their forums, but noted that until countries come together to do something against them. ransomware, not much will change.

“Between the problem of pipelines, attacks on hospitals that have closed trauma centers and emergency departments, and the loss of life suffered during the closure of a German hospital, it is no wonder that these cybercriminals are under pressure, ”Kron said.

“It has become painfully obvious that ransomware poses a serious threat to the lives and well-being of individuals, even outside of organizations that are being held to ransom. Ultimately, to eliminate these gangs, governments around the world must come together and shut down, tear down illicit infrastructure and arrest gamers. We must make the risk higher than the reward if we are to stop this dangerous trend.

Cyber ​​security giant FireEye posted a review on Twitter Friday afternoon, saying DarkSide would shut down its service entirely and provide decryptors to “businesses that haven’t paid, possibly their affiliates to distribute.” The company said it “has not independently validated these claims and that other players are speculating that it could be an exit scam.”



Sylvester L. Goldfarb

Leave a Reply

Your email address will not be published.