A shadow court system for hackers shows how professional ransomware gangs have become.
Cyber-criminals who have worked as affiliates with ransomware group Dark Side, responsible for the Colonial Pipeline attack, are having a tough time getting paid for their work now that the group has had its operations interrupted; so, they’re turning to admins of the group’s Dark Web criminal forum to sort things out in what researchers call a “shady version of the People’s Court.”
Ransomware-as-a-service (RaaS) providers like Dark Side strike arrangements with various other cyber-criminals to provide malware for their campaigns in exchange for a percentage of the take & business is booming. Ransomware attacks have spiked by 350% since 2018.
“It should come as no surprise that RaaS groups literally treat their operations as a business – interviewing potential team members, establishing a work agreement & providing the tools to get the job done,” John Hammond, a Senior Security Researcher with Huntress, explained.
“Cyber-crime groups have to be selective & handpick members of their cohorts – they take their work seriously, & obviously it can be a lucrative gig.”
Huntress has been monitoring these cyber-criminals & watching them settle disputes among themselves. Specifically, Huntress has observed a growing number of complaints being submitted claiming Dark Side is in breach of the terms of its affiliate program. The claims are being settled among admins in a well-defined “hackers’ courtroom” & payments made by admins out of a Dark Side deposit they control.
The hackers’ court even refers to “plaintiffs” &“defendants,” Hammond added.
“Cyber-crime has matured so much there is a strange ‘People’s Court’ to dispute claims & wrongdoings in the underground syndicate,” Hammond explained.
“If a scammer has been scammed, or a business agreement has turned sour, even a hacker can file a claim & have their time in front of a jury. There is no honour among thieves — but there is a “dark side” code of conduct. At least they have some ethical principles albeit a bit twisted guiding them.”
These darknet forums have provided RaaS providers with the infrastructure necessary to run mature, professional operations & sell their stolen data to the highest bidder. Ransomware tactics are becoming more potent, too.
Besides double extortion, where victims are threatened with losing access to their sensitive data, & also with having that data posted publicly, these ransomware gangs have decided to worsen matters with triple extortion. That means not only is the victim’s data encrypted & potentially publicly disclosed, but the ransomware operators go after the victim’s customers & partners, demanding payments from them as well.
All of these leaks, in addition to recruitment, stolen data sales etc., are run on these Dark Web forums & overseen by a strict administration structure.
Colonial Pipeline Attack
Huntress images, including the Dark Side forum access page, which references “the latest news” which likely refers to the Colonial Pipeline attack:
“We are apolitical, we do not participate in geopolitics, do not need to tie us with a defined govt. & look for other our motives. Our goal is to make money, & not creating problems for society.”
They added a note at the bottom that “From today we introduce moderation & check each company that our partners want to encrypt to avoid social consequences in the future.”
Just Business – Among Criminals
“Reading public messages from the Dark Side or other RaaS networks can send a chill down your spine, but it demonstrates how cyber-crime has truly become an underground industry,” Hammond explained.
“Bad actors may cripple organisations, damage national security or disrupt critical services, but they see this at face value: Nothing more than a job that gets them paid.”
While these ransomware gangs have shown ‘no mercy’ to their victims — attacking hospitals, schools & disrupting the lives of everyday people — they have enough business sense to know they need basic mechanisms for recruitment & settling disputes. In many cases, doing a better job than their legitimate cyber-security counterparts.
“Every operation that happens in the infosec industry, from marketing & sales to customer service, has a ‘dark side’ counterpart,” Hammond stated. “A ‘customer’ comes forward with a ransomware complaint? There are staff members & support queues for that.
Want a good deal on getting your stolen information back? Just contact the ‘Sales Dept.’ — they can help. That 5-star service experience is something that many legitimate service providers are striving toward to this day.”