Administrators of various underground hacking forums hosted on both the public Internet and Dark Web are having serious discussions about the “good idea” of allowing the sale of ransomware via their platforms.
According to research by threat intelligence firms Anomali and Flashpoint, shared with Bleeping Computer before publication, several such discussions have taken place on these forums since the start of 2016, and have regularly come up again and again.
Notable talks occurred after the infamous ransomware infection at the Hollywood Presbyterian Hospital in Los Angeles, but also after the WannaCry and NotPetya incidents.
Forum admins supportive of ransomware ban
While regular users sharing their opinions in various controversial discussions is a regular occurrence, you rarely see forum admins participating in such topics.
When forum admins talk, users listen, as their opinions usually end up becoming forum policy later down the road.
According to Travis Farral, Director of Security Strategy at Anomali, and Vitali Kremez, Director of Research at Flashpoint, forum admins have often shared negative opinions about malware developers selling ransomware on their platforms, always bringing up the same reasons.
It is worth mentioning that most of these forums are based in Eastern Europe, and especially in former USSR states, where authorities seem to ignore cyber-crime as long as crooks don’t target local citizens.
“We are digging our own grave”
One malware dev active on one of these forums also pointed out that ransomware — which is typically a very noisy and intrusive malware infection — leads to situations where companies introduce new security measures and block access to previously vulnerable networks and computers, hindering the efforts of other crooks.
In addition, infection methods used by ransomware, often borrowed from more stealthy malware, are addressed and patched when ransomware operators adopt the same techniques.
“Allowing ransomware operators on the forum, we are digging our own grave,” one threat actor wrote in a reply to one of these discussions. “Of course, banning this work on the forum doesn’t stop this type of business, but as a minimum, we can use community disapproval to make it more difficult to enter into it.”
48.5% of hacking forum users support a ransomware ban
Despite several negative opinions from forum admins and other threat actors, Farral and Kremez say that only 48.5% of hacking forum users expressed support for a ban on ransomware sales.
Banning ransomware would be a tough decision for any forum admin, as they often take commissions from escrowing sales through their platform. Since ransomware is a big business and multiple threat actors are active in this niche, forum admins risk losing business.
If a ban is not enforced on all major hacking platforms, one forum could be more than happy to take in new business seeking a new home after getting banned on a rival forum.
While we don’t expect to see a ban on ransomware anytime soon, it is surprising that malware authors are at least having serious discussions about the consequences of their work, and especially ransomware, today’s most hated and despised malware category.
In an email to Bleeping Computer earlier today, Kremez shared his personal opinion on these discussions, and ransomware’s future on Russian-speaking forums.
“Ransomware is already considered by many threat actors to be a low form of cybercrime, and it is likely to continue to be viewed in this way by underground communities,” Kremez said. “As the Wannacry and Petya ransomware attacks caused a large number of Russian victims, such attacks will also likely cause underground administrators to more strictly enforce the rule about not targeting Russia.”
At the time of writing, ransomware is still peddled on almost all underground hacking forums.
If admins decide to act, this would not be the first time that notable security incidents lead to a ban on underground hacking forums. Last year, after the DDoS attacks using the Mirai malware, HackForums, the biggest hacking forum on the public Internet, has banned the sale of DDoS booters on its site.