Ransomware gangs now creating websites to recruit affiliates

Ever since two prominent Russian-speaking cybercrime forums banned ransomware-related topics [1, 2], criminal operations have been forced to promote their service through alternative methods.

At least two ransomware gangs in need of hackers to run the attacks have been using their sites to advertise features of their encryption tools to attract new recruits.

Showing off to tempt affiliates

About a week ago, LockBit ransomware gang announced a new major version for their tool, claiming significant improvement for the encryption speed.

To support their claim, the threat actor apparently tested versions of multiple ransomware pieces and published their measurements for file encryption speed.

With launching LockBit 2.0, the ransomware developers also announced a new affiliate recruitment session, highlighting that the encryption they use has not faltered since the operation started in September 2019.

“The only thing you have to do is to get access to the core server, while LockBit 2.0 will do all the rest. The launch is realized on all devices of the domain network in case of administrator rights on the domain controller,” says the LockBit ransomware gang

To attract partners, LockBit claims to offer the fastest encryption and file-stealing (StealBit) tools “all over the world.”

This move from LockBit comes after the actor in late May tried to get ransomware talks back on a popular Russian-speaking forum by proposing a private section only for “authoritative users, in whom there is no doubt.”

While one user thought this to be a good idea, they also pointed out that the ransomware topic “is now better known than ISIS terrorists,” meaning that the forum would get unwanted attention.

Another gang promoting their ransomware-as-a-service (RaaS) operation on their website recently is Himalaya, an actor that started its activity this year.

Except for using their site to spread the word, Himalaya does not seem any different than other ransomware programs. They advertise a 70% commission for affiliates and an “already configured and compiled FUD [Fully UnDetectable]” file-encrypting malware.

As seen from the announcement below, Himalaya lays out a strict rule about the targets and apparently does not allow attacking healthcare, public, and non-profit organizations. 

While BleepingComputer knows of just LockBit and Himalaya to actively advertise their RaaS operation on their websites at the moment, other ransomware gangs could adopt the tactic if it proves successful.

Threat intelligence company KELA says that not all ransomware groups are this loud in their search for affiliates, though.

The REvil gang, for instance, prefers to operate discretely and relies on its network of affiliates and connections to get new partners when they need them, KELA says.

In mid-May, immediately after ransomware got banned on one forum, the REvil group announced that they would carry their activity in private.

Other prominent groups are likely to keep their head low considering the active hunt for ransomware actors that intensified after DarkSide encrypted Colonial Pipeline systems, disrupting fuel distribution in the U.S., especially on the East Coast.