After Ransomware Ads Are Banned On Cybercrime Forums, Alternative Platforms Being Used to Advertise and Recruit

Ransomware Gangs Scatter After Colonial Attack

Following the Colonial Pipeline ransomware attack back in May, and with the Biden administration threatening action against ransomware gangs for any attacks against U.S. infrastructure, three cybercrime forums – XSS, Exploit and RaidForums – banned ransomware ads. In addition, several ransomware leak sites have shut down. 

Advertisements via Exploit and XSS-owned Jabber services are also no longer available to ransomware collectives. This leaves ransomware operators with limited opportunities for the advertisement of their partner programs and services.

In response, ransomware collectives are disbanding, being taken down, pledging not to attack US infrastructure, or turning to other communication mediums to recruit new members into their ransomware operations. Some ransomware groups, such as Avaddon, announced a plan to switch to operating in a “private” state, which entails working with established affiliates and taking on new partnerships and customers through referrals, instead of recruiting on public forums. Some other groups, including Darkside, which was responsible for the Colonial pipeline attack, completely shut down operations; Darkside states it did so due to unspecified “pressure” from the U.S. government, but the U.S denies involvement in the group’s disbandment. 

AvosLocker Circumvents Forum Bans

But forum bans don’t mean that access is no longer sold or available. Exploit is still the top source for ransomware advertising, and XSS is also prevalent. On July 22, 2021, Flashpoint noticed an ad on the Jabber messaging service, placed by the relatively new AvosLocker Ransomware collective, using a service called HQ Advert Services. As background, the AvosLocker gang delivers its malware primarily via spam email campaigns or corrupt advertisements. 

HQ Advert Services specializes in producing mass spam campaigns on Jabber and Telegram. HQ Advert Services and other similar services function by maintaining a list of Jabber and Telegram handles, which they then use to distribute the advertisements of interest for a fee.

In addition to Jabber, Ransomware actors have also tested recruitment operations on a number of other platforms. Some groups, such as Black Shadow, maintain Telegram accounts. Others, such as LockBit 2.0, run RaaS recruitment on their forums; and still others have moved to new forums for RaaS recruitment such as RAMP (Russian Anonymous Marketplace). RAMP, in particular, is quickly growing in popularity. It has attracted 350 users in just over a week, and includes a section for corporate access.

Flashpoint analysts assess that other ransomware collectives will follow the example of the AvosLocker Ransomware group and begin to advertise their services and partner programs via Jabber and Telegram.

Flashpoint is monitoring this development and will provide updates as necessary.

Flashpoint Recommendations

Proactively monitoring the cyber threat landscape can go a long way towards preventing and protecting against a ransomware attack. Flashpoint recommends the following actions:

Learn More about Flashpoint Ransomware Response

Sign up for a demo and see how Flashpoint Readiness and Ransomware Response ensures your entire team is prepped and able to respond to any ransomware attack you may face. When equipped with Flashpoint Intelligence Platform, you move a step ahead of ransomware attacks and the cybercriminal groups who use them.