The Colonial Pipeline ransomware attack served as a breaking point for ransomware. Having seen the disruption the attack had caused on regular citizens, the underground cybercrime ecosystem started to make pariahs out of ransomware gangs. Three major hacking forums have banned ransomware posts. In addition, three large ransomware leak sites have gone down.
All because the hacking community fears the attention such high-profile attacks draw. US President Joe Biden said last week the US would take action against ransomware gangs after the Colonial cyberattack shut down a major pipeline and prompted declaring a rare state of national emergency.
First, two major cybercrime forums have banned ransomware topics and ads, citing among reasons “ideological differences” and “increased media attention.” Russian-language cybercriminal forum XSS banned ransomware groups from making posts about ransomware sales, ransomware rental, and ransomware affiliate programs on the forum. And then Exploit, a major cybercrime forum, has announced that ransomware ads – about hires of affiliates, Ransomware-as-a-Service (RaaS) services, and other services – would now be banned.
Then there was the first sign that the ransomware gangs crossed a line. Darkside, the ransomware gang behind the Colonial Pipeline attack said they lost control of some of their servers and the money from ransoms. Hours after that, the operators of the REvil and Avaddon ransomware gangs said they would stop advertising on forums and operate “privately” that is they will work with existing partners and through recommendations. Both groups also claimed online that they will not attack social sectors like healthcare, education, and government networks of any country.
But smaller groups don’t have a network of affiliates with which they could work and continue carrying out attacks in private. That’s why two ransomware gangs—Ako (Razny) and Everest—decided to shut down.
Even though some gangs have stopped operating, security experts expect that the individuals behind these operations will continue operating in the underground under different disguises.
And even though ransomware gangs won’t be operating on these forums, they can still reach out to initial access brokers in private and obtain access to compromised networks and launch ransomware attacks – as before, but more in the shadows now.