Russian-language cybercriminal forum ‘XSS’ bans DarkSide and other ransomware groups

The move follows a number of disruptions to DarkSide’s operations in the last 24 hours.
Written by Jonathan Greig, Contributor

Cybersecurity researchers with Flashpoint, Digital Shadows' Photon Research Team and other firms have confirmed that XSS, a popular cybercriminal forum, has outright banned ransomware sales, ransomware rental, and ransomware affiliate programs on their platform, according to a announcement released in Russian. 

The move comes after global scrutiny of ransomware groups increased following a damaging attack on Colonial Pipeline that left parts of the United States with gas shortages for days. 

Flashpoint reported that on Thursday evening, an administrator of XSS said the decision to outlaw the ransomware activities of active groups like REvil, Babuk, Darkside, LockBit, Nefilim, and Netwalker was due to "ideological differences" as well as the increased media attention resulting from latest high profile attacks. 

The statement said the "critical mass of nonsense, hype, and noise" was leading to concerns among the forum's members about law enforcement. They cited a recent comment from Dmitry Peskov, press secretary for Russian President Vladimir Putin, that said the Russian state was not involved in the attack on Colonial Pipeline.

"Peskov is forced to make excuses in front of our overseas 'friends' – this is a bit too much," the statement said, according to Flashpoint's translation. The company noted that by 7 am on Friday, all of DarkSide's posts in the forum had been removed. 

DarkSide is allegedly feeling the pressure in other ways, according to Flashpoint, with the group sending out a statement on another cybercriminal forum, Exploit, claiming to have had some of their tools disrupted. 

In a now deleted post, DarkSide representatives wrote that the group had "lost access to the public part of our infrastructure," which included the group's blog, their payment server and DOS servers.

The group claimed that "funds from the payment server (ours and clients') were withdrawn to an unknown address." Some security analysts questioned whether the claims were real and wondered whether the message was simply a ruse to reduce the government scrutiny of their actions. 

DarkSide's situation was also having an effect on other ransomware gangs like REvil, which released a new set of "guidelines" urging its members to stay away from healthcare and educational institutions as well as government organizations. The new rules demand that all new targets must be agreed upon by the leaders of the group, according to the message found by Flashpoint. 

Representatives for the Avaddon ransomware released similar guidelines on Exploit, according to Digital Shadows. In the last week, both the FBI and the Australian Cyber Security Centre have released notices specifically about Avaddon

"After the closure of DarkSide, the ransomware landscape is dominated by four major collectives: REvil, LockBit, Avaddon, and Conti. Flashpoint assesses with moderate confidence that well-established ransomware collectives—including REvil, LockBit, Avaddon, and Conti—will continue to operate in private mode," the Flashpoint report added.

"Additionally, ransomware collectives will likely begin to advertise recruitment for new affiliates via their own leak sites since many cybercriminal forums, like XSS, and other similar platforms used for ransomware advertisements will now likely refuse to host their activities."

Digital Shadows noted that DarkSide still has a recruitment thread on Exploit, although it has not been updated since April. 

Roger Grimes, data driven defense evangelist at KnowBe4, said the fear among security researchers is that much of this is window dressing so that major powers involved can say something was done.

He noted that one of the main problems with ransomware -- that the people behind it cannot be arrested -- is still a major issue that will lead to more attacks. 

"On top of that, many countries are absolutely cybercrime safe havens. Many countries have no problem with cyber criminals originating from their country as long as the criminals don't attack their own countries and tacitly agree to do favors for the government, if asked," Grimes explained, adding that some nations use stolen money to help fund government services.  

"It funds it directly because the perpetrators are paying expensive local and political bribes to stay in business, and indirectly because they spend the money on goods and services in the country. In many countries cybercriminals are almost celebrated by the officials." 

Due to the unwanted attention brought by attacking a critical pipeline like Colonial's, Grimes said some of those involved in DarkSide may get punished or arrested but countries will not stop serving as cybercrime havens because of how lucrative it is. 

"The only lesson learned in this case is that a new boundary has been set. Don't do something that causes energy shortages that gets the other nation's government upset," Grimes said. "But will it stop them from stealing tens of billions of dollars from tens of thousands of businesses and individuals? No." 

He added that drastic action needed to be taken on a global scale to stop countries from protecting ransomware gangs who operated with impunity, noting that the UN has already started an effort to get countries to sign something akin to a "digital Geneva Convention," although it is unlikely to get very far, Grimes said. 

KnowBe4 security awareness advocate Erich Kron said XSS sent a strong signal by banning these players from their forum but noted that until countries band together to do something about ransomware, little will change. 

"Between the pipeline issue, attacks on hospitals that closed trauma centers and emergency departments, and the loss of life suffered when a German hospital was taken down, it is no wonder the heat is on these cyber criminals," Kron said. 

"It has become painfully obvious that ransomware poses a serious threat to life and to the welfare of individuals, even outside the organizations that are ransomed. Ultimately, to take a bite out of these gangs, governments across the globe need to band together and shut down the illicit infrastructures and arrest the players. We must make the risk higher than the reward if we want to put an end to this dangerous trend."

Cybersecurity giant FireEye sent out a notice on Twitter on Friday afternoon saying DarkSide would be closing their service entirely and providing decrypters to "companies who have not paid, possibly to their affiliates to distribute." The company said it "has not independently validated these claims and there is some speculation by other actors that this could be an exit scam."

Editorial standards