DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Russian-language hacking forum bans ransomware-related ads

Posted on May 14, 2021 by Dissent

XSS forum, one of the two most popular Russian-language forums with sites on clearnet and Tor, has announced that it is now banning ransomware-related ads.

No more ransom ads on XSS
IMAGE: DATABREACHES.NET

No more ransom! Friends, on our forum lockers (Ransomware) and everything connected with them are prohibited . Namely:

  • Ransomware affiliate programs;
  • Ransomware rental;
  • sale of lockers (ransomware software);

All topics matching this rule will be removed. Fortunately, only a few of them were found.

In explaining his reasons, Admin stated, in part:

Too much PR. Lockers (ransom) have accumulated a critical mass of nonsense, nonsense, hype, noise. When you meet the ” Ransomvarny negotiator ” Profession , you understand that you are in the looking glass or just crazy. Moreover, 90% of this madness was created artificially, feeding this hype. Those who make good money on this noise (exchanges, insurance, intermediaries, media, etc.)

Later, in response to a comment by a forum member, Admin further elaborated:

You can’t just go flying on an airplane without studying aeronautics and piloting =) Activities without ideology, without studying the hardware (coding, reverse, administration, baghunting) and aimed only at earning money, very quickly end in blunders or troubles. Without a technical background, you cannot immediately go into earnings. That is why, in order to teach people, we gathered here and Damaga was restored. This is not about “learning for the sake of learning”, but about building the right sequence and priorities. I would like to restore a normal healthy state of affairs.

Responding to the announcement, some members were supportive, others pointed out it was likely to have little impact, as some will just go to Exploit.in and others will just communicate via other platforms.  Within minutes of the announcement, “Unknown” of Sodinokibi (REvil) posted:

Sodinokibi Leaving XSS
IMAGE: DATABREACHES.NET

In connection with the above, we are leaving this forum. Temporarily, our topic will be on exploit.in (of course, everything will be deleted there soon). After removing and there, as well as the prohibitions of lockers, we go into private. According to our calculations, it will take about a week.

It seems likely that the ban’s announcement was at least partly inspired by the Colonial Pipeline incident, and DarkSide’s use of the forum to recruit affiliates and promote its RaaS operations. But the Colonial Pipeline incident wasn’t the only headline-grabbing ransomware incident this past week.  And in dumping 250 GB of data from the Metropolitan Police D.C., Babuk commented:

Who only break the industry, then turn on the back speed, they like to open arbitrage on each other on the forums, well, huge sums that they did not even receive, ascribe loud attacks that do not exist, you yourself know who makes these high-profile attacks, the industry has changed, and we we urge all colleagues to accept these changes, you either accept them or leave this business

Having previously announced that they were changing their operations and would no longer encrypt data, Babuk now announced what sounds like another change in plans:

Regarding our old promises regarding the source code of the babuk. I handed over the source code to another team, which will continue to develop the product under a different brand, I remain the only owner of the domain and blog, my service will continue to develop, we are not going to close and change the policy of our work, we advise our colleagues to leave public RaaS.

So changes are coming, and quickly, but those changes may only mean less public visibility and not less criminal activity or ransomware development.
Update: Intel471 managed to get a copy of DarkSide’s message to affiliates. Read it all here.  They also noted an announcement from REvil’s operator in conjunction with Avaddon, announcing an amendment to the “rules” of their organizations. According to Intel471,
The updates barred affiliates from targeting government, healthcare, educational and charity organizations regardless of their country of operation. Additionally, all other targets need to be pre-approved by the ransomware’s operators prior to actual deployment.
All that said, Intel471 seems to agree with me that this may merely indicate a retreat from the spotlight or public spaces and not a real closing down of criminal activity.

Related posts:

  • Russian National Charged with Ransomware Attacks Against Critical Infrastructure
Category: Commentaries and AnalysesMalware

Post navigation

← Toshiba unit hacked by DarkSide, conglomerate to undergo strategic review
Ie: HSE shuts down IT system after ‘significant’ cyber attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure
  • Kentfield Hospital victim of cyberattack by World Leaks, patient data involved
  • India’s Max Financial says hacker accessed customer data from its insurance unit
  • Brazil’s central bank service provider hacked, $140M stolen
  • Iranian and Pro-Regime Cyberattacks Against Americans (2011-Present)
  • Nigerian National Pleads Guilty to International Fraud Scheme that Defrauded Elderly U.S. Victims
  • Nova Scotia Power Data Breach Exposed Information of 280,000 Customers
  • No need to hack when it’s leaking: Brandt Kettwick Defense edition
  • SK Telecom to be fined for late data breach report, ordered to waive cancellation fees, criminal investigation into them launched
  • Louis Vuitton Korea suffers cyberattack as customer data leaked

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations
  • Record-Breaking $1.55M CCPA Settlement Against Health Information Website Publisher
  • Ninth Circuit Reviews Website Tracking Class Actions and the Reach of California’s Privacy Law
  • US healthcare offshoring: Navigating patient data privacy laws and regulations
  • Data breach reveals Catwatchful ‘stalkerware’ is spying on thousands of phones
  • Google Trackers: What You Can Actually Escape And What You Can’t

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.