The recent ban of ransomware ads on well-known Russian-speaking cybercrime forums (Exploit and XSS) has forced cybercriminals to promote their service using alternative methods. Two ransomware gangs, identified as Himalaya and LockBit, have been detected using their own site to promote encryption tools and hiring new affiliates.

What has happened?

A week ago, the LockBit ransomware gang advertised a new major version of their tool on their own website. Other ransomware gang Himalaya was also reportedly promoting its services using its own website.
  • With launching LockBit 2.0, the ransomware developers further announced a new affiliate recruitment session, highlighting the fact that their encryption has not faltered since September 2019.
  • To attract affiliates, the LockBit developers claim to offer the fastest encryption and file-stealing (StealBit) tools on their website. According to the ads, the operators will only need to get access to the core server and deploy the malware.
  • Himalaya, on the other hand, offers pretty much the same things as other ransomware services. They are providing an already compiled and configured FUD file-encrypting malware and offer 70% commission to affiliates.
  • According to the announcement on its website, the Himalaya gang lays out a strict rule about the targets; it does not allow targeting the organizations related to public, healthcare, and non-profit sectors.

Some do not prefer recruiting affiliates

KELA, the threat intelligence firm, says not all ransomware groups are looking for or in search of affiliates. There are some other players as well who prefer to work in private or work discreetly.
  • REvil gang prefers to operate discreetly and rely on its network of affiliates and connections to get new partners. In mid-May, REvil group stated that they would carry their activity in private.
  • Meanwhile, other prominent groups prefer to stay low considering the active hunt for ransomware actors after DarkSide encrypted Colonial Pipeline systems.

Conclusion

At present, only the Himalaya and the LockBit gang are apparently promoting their RaaS operation on their websites. However, experts say other ransomware gangs may also adopt this tactic. Thus, organizations are recommended to stay alert for such evolving threats.

Cyware Publisher

Publisher

Cyware