How (and Why) Hacker Forums Self-Moderate
“Everything in moderation,” the saying goes. But it may come as a surprise that this expression even seems to apply to many of the hacker forums littered across the dark web. On the surface, these forums may appear to be a lawless landscape, but there are some activities even hacker forums ban because they tend to attract too much heat.
Most recently, ransomware has been the focus of attention from security professionals and malicious actors alike. Throughout 2020, at least 59 hospitals and health care centers were impacted by ransomware, a trend that continued into 2021 with further attacks on critical infrastructure. Colonial Pipeline fell victim to a ransomware attack that cost it nearly $5 million. JBS paid nearly $11 million after its meatpacking plants were disrupted by ransomware.
DarkSide claims to be apolitical. Source: DarkSide
These high-profile attacks are attracting unwanted attention to hackers from law enforcement and government officials. The DarkSide group responsible for the Colonial Pipeline shutdown tried to deflect attention by first claiming they were “apolitical” before announcing they were shutting down operations completely. Law enforcement agencies have been tight-lipped about their role in this takedown, but the FBI did retrieve 64 of the 75 bitcoin that Colonial Pipeline paid.
It stands to reason that, if this is what we witnessed in public, much more was occurring behind the scenes. Hackers are like pest infestations. If you can see one, then it’s almost certain there are many more lurking in the shadows. And when you shine a light on them, they scurry away to hide.
The Exploit hacker forum bans ransomware. Source: Exploit
In the midst of the uproar over the Colonial Pipeline shutdown and the DarkSide drama, two Russian-speaking hacker forums, Exploit and XSS (not to be confused with the vulnerability of the same name), banned the purchase and sale of ransomware on their forums. Even the REvil group, which was ultimately responsible for the JBS attack and the recent attacks on MSP Kaseya, announced it was restricting ransomware attacks on health care, education and government targets. In fact, Exploit and XSS justified their ransomware ban by citing the unwanted attention it would bring to other users from law enforcement.
The XSS hacker forum bans ransomware. Source: XSS
The Exploit and XSS ransomware bans were announced in May 2021, and 30 days later they were still in effect. Exploit and XSS have deleted all posts about ransomware-as-a-service (RaaS). We’ve even witnessed a post recruiting RaaS affiliates get deleted a few hours after it originally posted.
Although it is not explicitly banned, throughout the pandemic, the sale of health care data by bad actors has drawn the ire of other users; in one instance we witnessed a forum member delete their own post after it received a particularly negative reaction from other users.
Furthermore, both Exploit and XSS have codified a set of arbitration processes to resolve complaints between forum members. If there is one thing that can get you banned from these hacker forums, it is scamming its other members.
Exploit and XSS both have similar arbitration rules. Source: Exploit
The Flip Side of the Coin
KickAss forums with a pointed message. Source: KickAss
Of course, “everything in moderation” extends to moderation itself on some of the more extreme forums. These are the hacker forums that believe if you can’t handle the heat, then you shouldn’t be in the kitchen.
RaidForums posts a ransomware ban joke. Source: RaidForums
For example, RaidForums, which has not been a major hub for ransomware, sarcastically posted that ransomware was banned because, “if it ran somewhere [ransomware], then you should probably go catch it,” before later clarifying that it was a joke. The KickAss forums were much more to the point: “We are still open for it.”
What Evil Lurks in the Shadows?
On May 15, 2021, a REvil representative expressed delight at the opportunity to recruit new partners (two weeks before its attack on JBS). Source: Exploit
Beyond the bans and bravado, the most significant trend on these hacker forums is that ransomware groups have gone private. REvil claims that since ransomware has been banned on forums, that means they can set their own rules, “Forums are no longer interested in us, as are we in them. New affiliates come massively through word of mouth,” the group said via Twitter.
Despite the ban, known ransomware developers are still active on Exploit and XSS because of their general preference for working with other Russian-speaking affiliates. It is unlikely that these bans will have any significant impact on the frequency of ransomware attacks, especially as new copycats emerge. Unfortunately, the shift to private groups will make ransomware more difficult to track, which may be another motivation behind the bans; however, threat intelligence tools will still make it possible to identify ransomware actors whenever and wherever they emerge next.
Security researchers noticed that account takeover attacks and compromised credentials have become increasingly common in ransomware attacks, so it’s important to turn attention to initial access brokers, middlemen and other malicious actors focused on privilege escalation. Because where cybercriminals are concerned, there is no honor among thieves.