DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Russian-language hacking forum bans ransomware-related ads

Posted on May 14, 2021 by Dissent

XSS forum, one of the two most popular Russian-language forums with sites on clearnet and Tor, has announced that it is now banning ransomware-related ads.

No more ransom ads on XSS
IMAGE: DATABREACHES.NET

No more ransom! Friends, on our forum lockers (Ransomware) and everything connected with them are prohibited . Namely:

  • Ransomware affiliate programs;
  • Ransomware rental;
  • sale of lockers (ransomware software);

All topics matching this rule will be removed. Fortunately, only a few of them were found.

In explaining his reasons, Admin stated, in part:

Too much PR. Lockers (ransom) have accumulated a critical mass of nonsense, nonsense, hype, noise. When you meet the ” Ransomvarny negotiator ” Profession , you understand that you are in the looking glass or just crazy. Moreover, 90% of this madness was created artificially, feeding this hype. Those who make good money on this noise (exchanges, insurance, intermediaries, media, etc.)

Later, in response to a comment by a forum member, Admin further elaborated:

You can’t just go flying on an airplane without studying aeronautics and piloting =) Activities without ideology, without studying the hardware (coding, reverse, administration, baghunting) and aimed only at earning money, very quickly end in blunders or troubles. Without a technical background, you cannot immediately go into earnings. That is why, in order to teach people, we gathered here and Damaga was restored. This is not about “learning for the sake of learning”, but about building the right sequence and priorities. I would like to restore a normal healthy state of affairs.

Responding to the announcement, some members were supportive, others pointed out it was likely to have little impact, as some will just go to Exploit.in and others will just communicate via other platforms.  Within minutes of the announcement, “Unknown” of Sodinokibi (REvil) posted:

Sodinokibi Leaving XSS
IMAGE: DATABREACHES.NET

In connection with the above, we are leaving this forum. Temporarily, our topic will be on exploit.in (of course, everything will be deleted there soon). After removing and there, as well as the prohibitions of lockers, we go into private. According to our calculations, it will take about a week.

It seems likely that the ban’s announcement was at least partly inspired by the Colonial Pipeline incident, and DarkSide’s use of the forum to recruit affiliates and promote its RaaS operations. But the Colonial Pipeline incident wasn’t the only headline-grabbing ransomware incident this past week.  And in dumping 250 GB of data from the Metropolitan Police D.C., Babuk commented:

Who only break the industry, then turn on the back speed, they like to open arbitrage on each other on the forums, well, huge sums that they did not even receive, ascribe loud attacks that do not exist, you yourself know who makes these high-profile attacks, the industry has changed, and we we urge all colleagues to accept these changes, you either accept them or leave this business

Having previously announced that they were changing their operations and would no longer encrypt data, Babuk now announced what sounds like another change in plans:

Regarding our old promises regarding the source code of the babuk. I handed over the source code to another team, which will continue to develop the product under a different brand, I remain the only owner of the domain and blog, my service will continue to develop, we are not going to close and change the policy of our work, we advise our colleagues to leave public RaaS.

So changes are coming, and quickly, but those changes may only mean less public visibility and not less criminal activity or ransomware development.
Update: Intel471 managed to get a copy of DarkSide’s message to affiliates. Read it all here.  They also noted an announcement from REvil’s operator in conjunction with Avaddon, announcing an amendment to the “rules” of their organizations. According to Intel471,
The updates barred affiliates from targeting government, healthcare, educational and charity organizations regardless of their country of operation. Additionally, all other targets need to be pre-approved by the ransomware’s operators prior to actual deployment.
All that said, Intel471 seems to agree with me that this may merely indicate a retreat from the spotlight or public spaces and not a real closing down of criminal activity.

Related posts:

  • Russian National Charged with Ransomware Attacks Against Critical Infrastructure
Category: Commentaries and AnalysesMalware

Post navigation

← Toshiba unit hacked by DarkSide, conglomerate to undergo strategic review
Ie: HSE shuts down IT system after ‘significant’ cyber attack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Air Force Employee Pleads Guilty to Conspiracy to Disclose Unlawfully Classified National Defense Information
  • UK police arrest four in connection with M&S, Co-op and Harrods cyberattacks (1)
  • At U.S. request, France jails Russian basketball player Daniil Kasatkin on suspicion of ransomware conspiracy
  • Avantic Medical Lab hacked; patient data leaked by Everest Group
  • Integrated Oncology Network victim of phishing attack; multiple locations affected (2)
  • HHS’ Office for Civil Rights Settles HIPAA Privacy and Security Rule Investigation with Deer Oaks Behavioral Health for $225k and a Corrective Action Plan
  • HB1127 Explained: North Dakota’s New InfoSec Requirements for Financial Corporations
  • Credit reports among personal data of 190,000 breached, put for sale on Dark Web; IT vendor fined
  • Five youths arrested on suspicion of phishing
  • Russia Jailed Hacker Who Worked for Ukrainian Intelligence to Launch Cyberattacks on Critical Infrastructure

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How to Build on Washington’s “My Health, My Data” Act
  • Department of Justice Subpoenas Doctors and Clinics Involved in Performing Transgender Medical Procedures on Children
  • Google Settles Privacy Class Action Over Period Tracking App
  • ICE Is Searching a Massive Insurance and Medical Bill Database to Find Deportation Targets
  • Franklin, Tennessee Resident Sentenced to 30 Months in Federal Prison on Multiple Cyber Stalking Charges
  • On July 7, Gemini AI will access your WhatsApp and more. Learn how to disable it on Android.
  • German court awards Facebook user €5,000 for data protection violations

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.