To function, the gangs need to find “affiliates” who are responsible for deploying the ransomware.
In the aftermath of the Colonial Pipeline affair, two of the most popular Russian forums banned all mention of ransomware activity from their sites. Administrators complained that the topic was getting too much attention, and in this environment it can lead to its own downfall. President Joe Biden himself spoke on two recent cyberattacks, and he regularly calls out to Russia, home to these forums, on the subject.
Problem: The gangs used these sites mainly to recruit “affiliates”, that is to say hackers in charge of deploying their ransomware. This workforce is essential to sustaining the “ransomware-as-a-service” model adopted by the majority of groups. Concretely, the gang provides software in charge of stealing and then encrypting the victim’s data (the famous ransomware), but it is up to the affiliates to manage to deploy it in the victim’s system. If the partnership results in a ransom payment, then the gang will keep between 20 and 30% of the amount, and pay their partner with the rest.
After the forums closed, top gangs like REvil decided to “ go private “. In the jargon, this means that they have restricted the number of affiliates to loyalists they trust. But as the Bleeping Computer points out, this system does not work over time for groups looking for growth in activity. This is the case of LockBit and Himalaya, which have therefore decided to publicly reopen their recruitment, on a dedicated site. Their advertising will reach fewer cybercriminals, but they will be able to boost their business.
Who wants my ransomware?
To keep experienced hackers up, LockBit is promoting version 2.0 of its malware. The gang also points out that its activity has not been disrupted since September 2019, an astonishing sustainability in the sector. Before going apart, LockBit operators tried to offer a private section on the forums, with access reserved for trusted users, but, unsurprisingly, no follow-up was given to this request.
Himalaya, a smaller gang, also highlights the strengths of its malware. According to the Bleeping Computer, however, the most famous groups recruit their affiliates by word of mouth, from hacker to hacker. The situation has not returned to normal and, for once, it is good news for us.