When ransomware group REvil reappeared in September after a nearly two-month downtime, its return was met with a less-than-friendly reception on the cybercriminal underground.
Before going dark, the Russia-based gang attracted attention from the White House for two attacks that disrupted U.S. supply chains: the May breach at global meat supplier JBS that netted a reported $11 million payment, and a July hack on the software company Kaseya that immobilized hundreds of clients, some for months.
REvil’s sudden disappearance left hackers that had been leasing out the group’s ransomware tools to conduct their own attacks, also known as affiliates, in the lurch.
Almost immediately, several affiliates opened arbitration cases against the group on illicit forums. One hacker “Boriselcin” claimed on the XSS forum that REvil owed him money before it disappeared. While the two parties quickly resolved the case, not all disputes end so quietly, according to researchers who study dark web forums.
The arbitration process, which is meant to maintain a semblance of order in a community that operates outside the law, provides a valuable look at the processes that keep the hacker underground running. The process often leads to forum moderators icing out scammers and cybercriminals who bring undue risks to the community, a group of offenders that increasingly includes ransomware gangs.
“I would say that it’s like ‘honor among thieves,’ I suppose,” said Maria Gershuni, global intelligence analyst at the security vendor Flashpoint. “It’s a function that ensures that illicit commerce can progress smoothly.”
An evolution for organized crime
Early forums like CarderPlanet divided users into designations taken from organized crime (words like “family” and “capo” were common). Modern forums like XSS and the Russian-language Exploit have moved away from such language, but the process of arbitration has remained a sign of trustworthiness in the underground world.
“It was based on a code of mafia, but it worked,” said Dmitry Smilyanets, an analyst at threat intelligence company Recorded Future. “To have order, you must make order in your own house, so of course the forum is very well managed.”
Cyberciminal marketplaces rely on a number of safeguards to protect their integrity, ranging from escrow services to accepting deposits from ransomware groups aiming to boost their own credibility. Deposits are like the hacker forum equivalent of a “blue checkmark,” said Gershuni, a reference to Twitter’s verification system. The process can help establish trust in first-time dealings.
In the case that a group suddenly disappears, a forum’s moderator will usually distribute funds to jilted affiliates who can prove they’re owed money. Such was the case when the group DarkSide, which had a $1 million deposit on XSS, went dark in May, said Gershuni.
It’s only when something goes very wrong that actors take the step of opening an arbitration over an active deal.
Typically, aggrieved parties will turn to a forum moderator to raise a complaint. Moderators then will investigate the matter with a series of private messages and may enforce punishments ranging from restitution to a full ban from the forum.
“Within the borders of this forum, there is a sheriff — somebody who can become judge, jury and executioner,”said Gershuni. “[That] makes a forum, in the threat actor’s eyes, a quality forum.”
Sometimes the middlemen running the arbitration become embedded in the drama. In 2020, a REvil representative accused the guarantor of an escrow transaction of stealing $180,000 in funds from a commissioned job. A hacker called AD0 eventually admitted to taking the funds and investing them in cryptocurrency. He was suspended by Exploit permanently and from XSS until he repaid the funds.
“Criminals build a reputation over years and years conducting activities criminal activity once the slip, they can lose it immediately,” said Smilyanets. “Nobody wants this to happen because with a bad reputation, you cannot progress, you cannot keep making money.”
Dozens of arbitration cases arise across the spread of popular hacker forums each day, multiple analysts say. Everyday deals can range from $50 to hundreds of dollars while some of the largest disputes can climb to the millions. The bulk of the disputes don’t involve ransomware, according to Flashpoint analyst Vlad Cuiujuclu, but it’s those cases that often result in the biggest payouts.
An opportunity for investigators
The arbitration process can risk more than just reputations. Disputes can lead to a public airing of chat logs that expose trade secrets including attack methods and victims actors have their targets set on.
For instance, in a May dispute with REvil spokesperson UNKN, a hacker called Signature published correspondence logs that exposed the group’s tools after a dispute over a $7 million gig.
In August, an aggrieved Conti affiliate posted the group’s training manuals on the forum XSS, exposing IP addresses of the malicious Cobalt Strike servers it used in its attacks. That affiliate received the ultimate punishment: a ban from the forum.
Public disputes, while extremely risky for hackers, can provide a gold mine of information for researchers and law enforcement. Emails, bitcoin addresses and other account data quickly can become exposed.
“There’s certainly rivalries that have led to them doxing each other, and for any investigator or law enforcement agency they are absolutely a treasure trove,” said Erik Rasmussen, a former deputy prosecuting attorney and special agent with the U.S. Secret Service and head of cybersecurity and risk management solutions at Grobstein Teeple, LLP. “It’s open season on collecting that information, so you don’t have to worry about getting a search warrant, or going on to a server in another country to get a forensic image.”
In most scenarios, arbitration cases aren’t brought lightly, researchers say. Take the case of Boriselcin. When asked on the forum why he would bring up his claims so long after the group disappeared, they responded “I have no other choice.”
“A lot of these people are from lower-income countries Russia, Ukraine, former Soviet Union and we’re talking about a lot of money,” said Gershuni. “There is a sense of desperation.”
The influx of new ransomware affiliates thanks to the increased availability of ransomware-as-a-service has changed the criminal landscape, bringing increased scrutiny to underground forums. As a result, several forums claimed to ban the advertising of ransomware services. While extortion gangs have found ways to skirt the bans to continue to attract affiliates, the increased attention has hurt some gang’s favor among the forum community.
When an affiliate presented evidence on September 20 that REvil had been hijacking partners’ shares by pulling a bait-and-switch on customer chats, Exploit burst into an uproar.
A representative of a rival ransomware group LockBit quickly latched onto the claims to discredit REvil and some other Exploit members compared the gang to low-level cybercriminals, according to posts viewed by Flashpoint. Signature renewed their once-mocked $7 million complaint against the group.
Some XSS users saw the complicated situation of REvil’s betrayal as a lost cause for arbitration.
“Now the Devil himself won’t be able to figure it out, everything is so mixed up in a big pile…” one XSS user wrote. “There will be no more arbitration, especially since ransomware groups are now prohibited.”
Another user put it more bluntly: “I open up an arbitration against Stalin, will he come back to life?”