This Forum is a Bunch of Communists and They Set Me Up LockBit Spills the Tea Regarding Their Recent Ban on RussianSpeaking Forums Analyst1
pppWritten by Anastasia Sentsova and Jon DiMaggioppppTable of ContentsppOn January 30 2024 LockBitSupp a member of the infamous LockBit ransomware group faced a ban from two prominent Russianspeaking forums XSS and Exploit These forums hold a significant position in the Russianspeaking underground community being among the oldest forums in existence The forums are wellstructured with various sections catering to the diverse interests of illicit activity amongst its users Arbitration is one of the sections available to members allowing them to file complaints against each other with forum admins making decisions based on the situation presentedppppppGetting banned from these forums typically involves a serious violation and LockBits ban was prompted by a complaint from another forum member under the alias michon According to michon they had collaborated with LockBit providing access to a target entity However LockBit allegedly extorted the target without sharing any of the profit leading to the complaint and subsequent ban ppppLockBit responded with their perspective on the situation asserting that michon initiated contact with them and provided access to a breached company without any formal agreement LockBit successfully extorted the payment and later michon requested a percentage of the payout in the amount of 4 million USD which LockBitSupp refused to pay Following the dispute both parties initially agreed to handle it privately but michon opted to make it publicppppppAfter the complaint was addressed publicly an administrator requested that LockBitSupp share 10 of the obtained profit LockBitSupp declined leading to their ban The forum admin stated Unfortunately the defendant refused status assigned Case closedppppIn addition the admin of XSS once again emphasized the ban on the ransomware topic when explaining the rationale behind LockBits ban They stated Its disheartening to witness such arbitrage especially in light of the real and not imaginary ban on ransomware discussions I would like to remind everyone of rule number 9 Ransomware is strictly prohibited referring to the ban of the ransomware topic established back in May 2021ppppppLockBitSupp was banned from XSS and later from Exploit with the status Ripper Rus Кидала assigned Beyond the ban itself this status is arguably the most detrimental for a forum member It signifies a lack of trust making it strongly discouraged for anyone to engage in collaboration with them To protect their reputation and prove themselves not guilty LockBitSupp took this to another DarkWeb forum RAMP to appeal this banppppppppRAMP is a Russianspeaking DarkWeb forum fully dedicated to ransomware activity LockBit was one of the first ransomware operations to promote its affiliate program back in 2021 when RAMP was launched after an official ban of the ransomware topic on XSS forum It was later revealed that the creator of RAMP is the infamous BorisElcin also known as Wazawaka who was later identified as Mikhail Matveev In May 2023 Mikhail Matveev faced sanctions from the US Department of the Treasurys Office of Foreign Assets Control OFAC due to his suspected involvement in multiple ransomware attacks conducted by Hive LockBit and Babuk ransomware syndicates Matveev operating on RAMP initially under the aliases TetyaSluha and later Orange eventually relinquished his admin rights It is unclear if Matveev is currently involved in any of RAMP operations The current admin is an actor operating under the moniker Stallman a very well known and respected member of the Russianspeaking DarkWeb communityppppOn Thursday February 1st 2024 LockBitSupp leveraged the RAMP forum to tell its side of the story surrounding the events that led to the ban on other Russian underground forums You can see the post in Figure 5 belowppppppLockBitSupp made a post on the RAMP forum asking the forum administrator Stallman to reevaluate the incident and make an independent determination regarding whether LockBit cheated michon out of the money it was owed for its services In the post LockBitSupp claims that the administrator who ruled against it and enforced the ban had ulterior motives influencing their decision According to LockBitSupp the ruling XSS admin is the friend of a former XSS moderator and the plaintiff who also had a previous conflict with LockBitSupp LockBitSupp believes that this relationship affected the admins ability to adjudicate the complaint fairlyppppWhile Analyst1 cannot confirm the relationship between the former XSS moderator and the administrator it appears plausible based on the infrequent enforcement of the rule against ransomware discussions on XSS The forum is full of conversations about ransomware yet enforcement is rare and selective Furthermore LockBitSupp has frequently engaged in ransomware discussions since joining the forum in March 2021 without facing consequences from XSS moderators until the complaint was filedppppTypically the XSS admins require complainants to provide evidence of a valid agreement for unpaid services in order to find someone guilty in such situations However based on the logs submitted by LockBitSupp no such agreement was made In other words the logs showed that the parties discussed a payment but never agreed upon the terms or amount yet the complainant still provided access The XSS admin confirmed that no prearranged payment agreement existed yet still ruled in favor of the complainantppppWhile its uncommon for us to agree with a threat actor if we disregard the illegal services and criminal acts that the parties are disputing over and focus on the ruling based on the presented evidence in the arbitration it seems unfair to hold a party accountable for a monetary amount that was not agreed upon in advance by both parties Analyst1 had a conversation with LockBitSupp discussing the events that occurred and the ruling made by the XSS administrators We questioned LockBitSupp about why they didnt agree to payment terms beforehand to avoid this situation completely LockBitSupp explained that the complainant lacked experience credibility and reputation which made it difficult to agree to upfront payment without knowing what they would receive in return LockBitSupp also mentioned that they often encounter criminals who make empty promises in an attempt to scam the group and they only make payment after a successful criminal operation where the involved criminals have fulfilled their part of the agreement Analyst1 can confirm this statement as it aligns with the terms outlined in the groups affiliate rules listed on their data leak siteppppWe asked LockBitSupp if this was true why did it not pay the complainant after the criminal engagement was completed LockBitSupp stated the complainant became confrontational and impatient and publicly leaked private information about the operation on the forum which is an offense within the criminal communityppppWe also asked LockBitSupp why it was banned by the Exploit forum if the complaint was filed on the XSS forum LockBitSupp explained that This is the rule in the Russianspeaking community and across the forums If you are getting banned from one forum you are automatically excluded from others This also explains why LockBitSupp was upset about the ruling Getting banned across multiple Russianspeaking forums limits the groups exposure to other criminals and resources LockBit also believes that the moderators decision which required it to pay 10 of the criminal revenue generated from the operation in which the complainant provided initial access was biased and unfair LockBit says it never agreed to such a large sum and refuses to be blackmailed into making such a payment Again we dont often agree with LockBitSupp but if the logs provided are authentic and inclusive the logs provided support this claimppppAs you may recall LockBitSupp stood by their decision and refused to make payment resulting in their expulsion from both the Exploit and XSS forums However when LockBitSupp appealed to the RAMP forum administrator it hoped for a more favorable outcome which is exactly what it received On Sunday February 4th 2024 Stallman the RAMP administrator determined that LockBitSupp did not violate the terms of the agreement This decision was based on the conversation logs submitted as evidence which revealed that no prior agreement or promise of payment had been made ppppThe administrator cited statements from the conversation logs as justification for their decisionppLockBitSupp I dont have to pay you just for access I only going to pay you if the victim pays a ransom What is not fair Where do you see injusticeppmichon At the moment I want 4 million USD for accessppLockBitSupp Well Im not ready to pay you that much for access and no one would ever buy any access for that kind of moneyppppHowever despite the positive ruling made by the RAMP administrator XSS and Exploit forums have not lifted the ban This means that LockBitSupp may have won the appeal but will not benefit from it Such a discrepancy in verdicts between forums is surprising considering how interconnected the Russianspeaking underground isppppppDarkWeb forums serve as valuable sources of intelligence but unlocking their insights requires a thorough understanding of an underground ecosystem It involves delving into the historical events that have shaped the underground over the years as well as examining the profiles of actors considering their cultural backgrounds that often influence their behaviorppppDrawing parallels between the dynamics of DarkWeb forums and the broader Russianspeaking society we uncover striking similarities Both environments are collectivist in nature placing a strong emphasis on community importance adherence to established guidelines and the exchange of shared experiences This fosters a cohesive environment where individuals feel a sense of belonging and camaraderie ppppWhile the story presented to both the underground world and the wider public may appear straightforward several details about the LockBit ban raise questions For instance the lack of forum reputation of the individual behind the complaint who registered their account as recently as January 12 2024 In an underground where hierarchy plays a central role in forming relationships this seems contradictory LockBitSupp themselves point to this by saying This is a random person with no established reputationppppThe hierarchical structure within DarkWeb forums mirrors the organizational structure seen in various aspects of Russian society reflecting a preference for a clear and defined chain of command Moreover the unwritten code of conduct respect for authority a strong sense of camaraderie are foundational principles that shape underground With the forums reputation and assigned ranks underground members navigate their way through the hierarchy striving to climb the ladder Until they reach the upper echelons they treat those already at the top with respectppppThe incident involving LockBits ban sheds light on another important aspect of the Russianspeaking underground the significance of interpersonal relationships Trust collaboration and dealmaking often hinge on these relationships which are established based on mutual interests and common goals LockBits mention of a close relationship between the admin who made the decision and former moderator of XSS who is a friend of the plaintiff underscores the interconnected and relationshipbased nature of this worldppppThe publicity of the event with a public complaint lodged against a notorious actor from one of the most active ransomware groups is a rare occurrence in the underground Violating hacker ethics by sharing internal disputes publicly is frowned upon as highlighted by LockBits statement He shared an internal dispute that shouldnt have been become public violating hackers ethics Indeed in the world of the underground that relies on principles of secrecy sensitive discussions are typically kept behind closed doors also to avoid attracting unwanted attention from law enforcementppppThis publicity however could be seen as an attempt of rivalry from LockBits competitors The public execution ban and assigning of Ripper status could be interpreted as attempts to discredit LockBit and undermine its business Much like in the offline world reputation is paramount in the DarkWeb and individuals seek to build and maintain positive relationships with trusted peersppppThe LockBit ban might also be seen as a pushback from the community itself Its possible that some members perceive LockBit as separating themselves by prioritizing their own interests over those of the community and showing their success too openly The LockBit statement They are jealous of me because how rich and successful I am There is a communism on this forum and their goal is to dispossess the rich may sound amusing but they likely hold some truth and offer insight into what happened to LockBit ppppWhen you start all this talk about the Cartel you have to understand that you are not alone here You must consider other peoples opinions said Bratva another prominent member of the Russianspeaking DarkWeb community Indeed in a community where collective interests often supersede individual ones separating and placing oneself on a pedestal could be a fatal mistakeppppppThe Russianspeaking underground presents a complex and intricate landscape shaped by multiple factors including cultural norms interpersonal relationships and even the political landscape Understanding these nuances is crucial for cybersecurity experts and law enforcement agencies in addressing cybercrime Analyst1 continues to navigate the evolving ecosystem of ransomware for combating emerging threats and building a safer digital spaceppppppppΔdocumentgetElementById akjs1 setAttribute value new Date getTime ppWe are using cookies to give you the best experience on our websiteppYou can find out more about which cookies we are using or switch them off in settingsppThis website uses cookies so that we can provide you with the best user experience possible Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and usefulppStrictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settingsppIf you disable this cookie we will not be able to save your preferences This means that every time you visit this website you will need to enable or disable cookies againp