Ransomware Gangs Recruiting Affiliates Now by Creating Websites


Ransomware gangs have begun to promote their services by other methods after two notable Russian-speaking forums prohibited ransomware-related topics. One forum is the XSS, while the other significant cybercrime forum is Exploit. After the banning of forums, cyber experts have observed the ignition of new activity by ransomware gangs. Now, they have been leveraging their websites to promote the features of their encryption tools. Moreover, these gangs seem to look for new ways to attract fresh recruits to employ unknown hackers to run attacks.


Leverage the Cloud Security Advisory Services offered by LIFARS to validate your compliance and controls to help you maintain your compliance.


What Caused the Banning of Underground Russian Forums?

The response from the US government against the recent Colonial Pipeline attack, along with several other measures, has made it possible. In the wake of the precarious cybersecurity situation, the new administration in the US has made a sturdy commitment towards cybersecurity.

While recognizing its role in the digital world, the government has assured to hold countries accountable that shelter ransomware gangs. Likewise, they showed interest in formulating policies concerning ransom payments while tracing and blocking the transfer of virtual currency payments.

As a result, ransomware group recruitment from the Russian forums has halted. Understandably, the ransomware attacks are not going to end any time soon. However, it is a considerable step since it turns the ransomware-as-a-service model less profitable.

Flaunting To Lure Affiliates

One of the ransomware gangs named LockBit announced a brand-new version for their tool a week ago. It claimed and promoted considerable improvement for the encryption speed. On top of it, the threat actor published the measurement for the encryption speed after testing the versions of various ransomware pieces. Essentially, LockBit professes to offer the quickest encryption and file-stealing (StealBit) tools worldwide to draw in accomplices.

Ransomware developers proclaimed a new affiliate recruitment session by launching LockBit 2.0. They argue that the encryption they utilize has not wavered ever since the operation began in September 2019. They claim to leave everything on the LockBit 2.0 to manage. At the same time, the user only has to hit access to the core server. As indicated by the LockBit ransomware gang, the launch is acknowledged on all devices of the domain network. This occurs if there should arise an occurrence of administrator rights on the domain controller.

Ransomware gangs are now effectively promoting their RaaS operation on their sites. A ransomware gang named Himalaya, promoting RaaS (ransomware-as-a-service) operation on its website. Himalaya has begun its activity this year. This gang is not distinct from other ransomware programs other than leveraging its site to spread the word. For affiliates, they present a 70% commission and an all-around designed and arranged file-encrypting malware, which is FUD (Fully UnDetectable).

One thing to note here is that Himalaya spreads out a strict rule regarding its targets. Seemingly, it does not agree to attack medical services, public, and not-for-profit organizations.

In Closing

Law enforcement is likely to target the affiliates to compel an operation to shut down. It considers that the core members of ransomware gangs keep a low profile. Thus, it will slowly become difficult for RaaS operations to hire new affiliates as more hacking communities make ransomware operations undesirable.




Ransomware gangs recruit affiliates by creating websites

On the cybercrime forum named Exploit, ransomware ads now also banned

Hacking forum XSS prohibits all ransomware topics

RaaS business model takes a hit in the wake of the Colonial Pipeline attack

Recovery of $2.3 million in cryptocurrency by Feds

An executive order by president-elect Biden to beef up US cybersecurity