Our 24x7 comprehensive monitoring of the Digital Underground can help you transform your information security and anti-fraud operations from reactive to proactive.

orange arrow

Ransomware Players Going Underground

intro image

Written by Dima Khrustalov

Over the past few months, several devastating ransomware attacks on US companies, allegedly by Russian cybercriminals, shone a light on the scale and audacity of ransomware attacks. In May 2021, Colonial Pipeline, one of the largest pipeline operators in the United States providing roughly 45% of the East Coast's fuel, temporarily halted operations after falling victim to a ransomware attack. A few weeks later, JBS, the world’s largest meat company, also suffered a ransomware attack that temporarily disrupted operations. Both companies made ransom payments in the millions of dollars to contain the damages. And just before the July 4th holiday in the US, technology company Kaseya suffered a major ransomware attack that has affected hundreds of customers around the world.

At the same time, the US Government deployed a more aggressive approach towards ransomware affiliates and developers than previously seen. For example, following the Colonial Pipeline hack, US law enforcement seized some of the ransom payment and the DOJ elevated investigations of ransomware attacks to a similar priority as terrorism. In addition, President Biden included ransomware attacks as one of the priority issues in his bilateral talks with Russian President Vladimir Putin in June 2021.

These actions had the effect of driving ransomware players underground. Following the Colonial Pipeline attack, the two most popular Russian-language hacking forums, Exploit and XSS, announced their decision to ban future ransomware discussions and remove all existing ransomware-related content threads. Both forums’ administrators gave one reason for the ban - ransomware is drawing too much attention from law enforcement agencies and the media, putting them at greater risk. The following is Exploit forum administrator’s statement regarding the ransomware ban (translated from Russian):

We are not happy to have ransomware on our forum since it draws too much attention. We don’t like this type of activity, since ransomware operators encrypt all sorts of networks. We have decided to remove all ransomware affiliate programs from the forum. All ransomware-related threads will be permanently removed from the forum.

Since these and other forums represent a significant recruiting channel for ransomware affiliate programs, it would seem that the ban may deal a blow to ransomware vendors. The ban triggered heated discussions amongst forum members, some of whom are ransomware vendors and affiliates. The opinions are divided into two camps - those who support the ban and those who oppose it.


Presently, it is still too early to evaluate the impact of the ransomware ban on underground Russian-language forums. At the same, it is hard to disagree with the consensus of these forum’s members. And the consensus is that the ban will not reduce the number or sophistication of ransomware attacks. The forums themselves are still full of new posts by threat actors offering access to corporate networks for sale. Often, these are acquired by ransomware affiliates, or lead to partnerships between cybercriminals on a ransomware attack. The fact that the word “ransomware” is not mentioned in these posts does not in any way exclude ransomware affiliates from participating. Ironically, the ban may also strengthen large ransomware vendors with established reputations and affiliate programs who need not rely on forums for PR and collaboration.

So, at least for now, the ban of all ransomware-related discussions on the Russian-language forums has only two real losers: 1) the forums themselves, who are losing an important source of income, and 2) information security researchers, who are losing a key source of intelligence as ransomware collaborations now take place ‘under the radar’.

Don't forget

to Visit

Our Solutions

About the Author

Dima Khrustalov is a senior analyst at Q6 Cyber’s Tel Aviv office, covering global cybercriminal activities on the Dark Web and Deep Web. Prior to Q6 Cyber, Dima was an Anti-Money-Laundering and Due Diligence analyst. Dima holds a BA in Communications and Business Administration from the Hebrew University of Jerusalem.