Too hot-to-handle ransomware excluded from scheme
Cybercrime forums are evolving to include more mature dispute resolution and arbitration procedures which are in some ways comparable to legitimate courts.
Threat actors hold court/arbitrage hearings to determine fault among thieves.
Disputes over the sale of illegitimate products and services can be argued in these mostly Russian-language forums, but issues concerning ransomware have been excluded over recent months because they attract too much unwanted attention – and might even invite interdiction by law enforcement.
Honour amongst thieves
Jon DiMaggio, former intelligence community agent and chief security strategist at Analyst1, explained that despite selling and offering primarily illegal services, forum administrators created these arbitration programs to properly handle disputes.
Dispute resolution is important to guard against so-called ‘rip off merchants’, safeguarding the reputation of cybercrime hangouts.
In addition, forum administrators set up a voluntary escrow capability (where funds are held by a neutral third party) to guaranteed payments should a dispute arise. Funds remain in escrow until both the buyer’s payments are assured and the goods or services have been received.
Ransomware biznes, net spasibo
Ransomware is a huge draw to cybercriminals and has arguably attracted a lot of new members into these cybercrime forums, but the trade carries a heavy risk to forum administrators, especially since the Colonial Pipeline and JBS Meat attacks.
Arbitrations about ransomware, commonplace before May 2021, have been ruled out of scope of the dispute resolution process, according to Analysts1.
DiMaggio told The Daily Swig: “They [forum administrators] do not want any topic, let alone ransomware, to bring additional heat which could result in the site being taken down or disrupted. They make plenty of money with other services and malware distribution sales, that it is just not worth the risk with ransomware.”
Analyst1’s research focuses on the dispute resolution process in Russian-language cybercrime forums. “The Russian sites have existed the longest and are some of the more well-known forums,” DiMaggio explained.
Since the inception of one of the major Russian-speaking cybercrime forums, a total of more than 600 threads with requests for arbitrage have been created.
The median figure for compensation is considered to be between a few hundred and up to a few thousand US dollars, according to Analyst1.
In most instances disputes centre around requests for financial compensations but in other instances the scammed person is so angry that they decide to handle the incident on a more personal level by doxing “defendants”.
In one example cited by Analyst1, a threat actor leaked the scammer’s full identity including their physical address, social media profiles, phone number, and even relatives’ information.
This might be taken as an example of dispute resolution failing to work.
Other threat intel agencies including Digital Shadows have also charted the growth and increased sophistication of dispute resolution in cybercrime forums, many if not all of which are located on the dark web.
James Chappell, co-founder and chief innovation officer at Digital Shadows, told The Daily Swig: “Trust and reputation plays an important role in criminal collaboration, and as the forums which facilitate cybercrime have grown, so have tools which are directly aimed and maintaining this trust.”
Administrators ultimately act as arbiter in disputes, ruling and enforcing when a dispute comes about. But what started as a simple “complaint to the forum admin” procedure has become more sophisticated over time, Chappell explained.
In some Russian speaking forums, notably XSS and Exploit, the simple ‘complain to the admin’ approach has become more organized and sophisticated. In these cases, there are formal, transparent processes in place. Grievances are escalated via an online form.
The disputing parties are invited to submit evidence which may be public or direct. As evidence may be fabricated it is also scrutinised by other trusted users on the forum. They are invited to weigh in on the discussion, almost as a jury would. There are others who may vouch for their dealings with one of the parties involved.
Once all sides have been involved in the discussion until an outcome is reached, the outcome may include financial (fines or refunds) or temporary and permanent bans.