They used to be a safe space for hackers to coordinate attacks, but with online forums worried about unwanted attention from law enforcement, many have banned ransomware posts. And—as is usually the case in the whack-a-mole game of hacking—cybercriminals are finding a way around the new restrictions: a coded language to bypass suspicion.
By the end of May, multiple hacking forums announced they were banning ransomware hackers and their advertisements following Russian cyberattacks against fuel supplier Colonial Pipeline and meat supplier JBS. Several forum administrators cited the amount of attention the ransomware attacks were getting as a reason to clamp down on those sorts of advertisements. And President Joe Biden warned in May that the U.S. wasn’t ruling out retaliatory cyberattacks against a ransomware gang behind the latest offensive against a massive fuel pipeline in the U.S.
But cybercriminals have gotten creative in the face of these bans, and they are working to do everything but post about ransomware to evade suspicion and still plan their heists, security researchers told The Daily Beast.
One user on XSS and Exploit—both popular cybercriminal forums—has been posting to offer up “help” to other users that had broken into vulnerable companies and had various accesses they could sell for other criminals to use, according to a recent client note security firm Flashpoint shared with customers. The user noted they were looking to assist others that had access through vulnerable virtual private networks (VPNs), for instance, that ostensibly “did not know what to do with them,” according to the note, which was shared with The Daily Beast.
Another user on cybercriminal forum XSS advertised they had “a team of experienced pentesters”—a term meant to denote ethical hacking of businesses to test defenses—looking to buy access to vulnerable corporate networks. That behavior is typical of a ransomware plot, in which attackers worm their way into victims’ networks, then lock up victims’ machines, steal files, and demand a ransom to unlock the victims’ computers and not post stolen data online, Vlad Cuiujuclu, an analyst at Flashpoint, told The Daily Beast.
Other users looking to run ransomware operations have resorted to “liking” others’ posts in criminal forums in an effort to entice hackers to direct message them in private channels to avoid getting booted from the forums while planning attacks, according to Flashpoint.
Just as anti-vaccination groups on social media have begun using coded words like “dance parties” to avoid Facebook bans, ransomware hackers, too, have started using code words to post about ransomware as a cover, according to Flashpoint.
“While officially ransomware-related activities are banned from most top-tier forums, it does not stop threat actors from evading the rules of forums by carefully moderating their advertisements and therefore not officially breaking the above-mentioned rule,” the client alert said.
The difficulties forums are having in keeping ransomware hackers at bay is emblematic of the broader efforts governments and the private sector are taking on to tamp down on ransomware attacks. The Biden administration has warned the Russian government that critical infrastructure is off-limits and has warned it shouldn’t allow ransomware gangs to operate within its territory. But the White House hasn’t outlined specific consequences if Russia or criminals within the country flout the warning. In the meantime, ransomware attacks, including against hospitals during COVID-19 surges, have continued.
One part of the problem is that the cybercriminal forums and their administrators are not necessarily being that vigilant, says Cuiujuclu.
“Forums are trying to look at it from the liability standpoint,” Cuiujuclu told The Daily Beast. “Nobody wants to be associated with cyber terrorism. Therefore, if someone is trying to point out dozens and dozens of cases where people are looking to ‘buy accesses,’ looking for ‘specific revenues [of companies]’ the admins of forums are going to say, ‘So what? None of this says ransomware.’”
And yet, on the flip side, if the forums were to actually batten down the hatches against ransomware attackers—and their coded language—researchers admitted privately to The Daily Beast that they feared tracking down the criminal activity would become exceedingly difficult, as it would then likely move to private channels.
When the forums announced the news that they were barring ransomware advertisements and posts, many security researchers took the news with a big grain of salt. Cybercriminals themselves often try to self-police some of their targets—ransomware gangs at times claim they won’t target hospitals or critical infrastructure—but many go after those integral services anyway.
Even one of the forums that claimed it was banning ransomware gangs, RaidForums, later announced that the whole ‘ban’ was just a joke, according to Digital Shadows researchers.
Forums aren’t the only ones starting to glom onto the idea that maybe ransomware is too attention-grabbing and not worth the risk—some hackers are beginning to avoid ransomware in their financially motivated crimes, too.
Instead of running ransomware attacks where they lock up victims’ files, some criminals are just stealing data from victims and then offering to delete the files for a fee, Kurtis Minder, the CEO and co-founder of GroupSense, told The Daily Beast.
GroupSense, which negotiates with ransomware gangs on behalf of victims, has seen hackers just rename files and not actually encrypt them as promised, Minder said.
“We are also seeing a rise in the extortion only plays [in which] they exfiltrate then delete data,” he said.
Some hackers have been pretending they are running ransomware attacks that steal data from victims so they can extort them, but have admitted in private channels they haven’t actually done that and don’t actually have the capability to steal files from targets.
“We have spoken with ransomware actors who have essentially admitted to us in private messages that they will claim to have stolen data even when they don’t even have the capability to exfiltrate data,” Flashpoint told The Daily Beast.
The Russian-speaking ransomware hacking group LockBit in particular has recently been posting names of companies it claims are victims on its own site—as a way to shame them and get them to pay up—but then dropping them from the site without explanation. It’s unclear if the gang is removing the companies when they pay, but at least some of the company names they’ve listed aren’t actually victims at all, which could indicate that posting names of companies is all just a ploy to get concerned companies to pay up under false pretenses, according to Flashpoint.
“I know of one particular ‘victim’ who contacted us to definitely state they were not a victim,” said Tom Hofmann, Flashpoint’s senior vice president of intelligence, adding that other hacking gangs’ shame sites have lately appeared to be riddled with fake claims. “We have been contacted by some companies named on these victim sites that claim they have never been victimized.”
In many other cases, the true nature of a ransomware gang’s attack may remain a mystery, notes Hofmann. Some attackers’ notes appear so cookie cutter and vague that it can be hard to know if the ransomware gangs have actually done what they say they’ve done—or if they’re just borrowing a page out of another gang’s playbook.
“During ransomware engagements, the ransomware notes often include stock language that states data has been stolen,” Flashpoint told The Daily Beast. “Early in an incident response, the details of what happened are not well known as these events are crisis situations; however, we have seen that some actors claim to have stolen data but do not provide any proof.”