Driven to find alternative means of self-promotion after the topic of ransomware was banned on notable Russian-language cybercrime forums, ransomware operators are now using websites to attract affiliates instead.

Two dedicated ransomware gangs that require hackers to execute attacks have been observed using their websites to advertise the capabilities of their latest encryption tools, in the hopes of recruiting new talent.

Tempting affiliates by showcases criminal toolkits

The infamous LockBit ransomware group recently announced a major new version for its built-for-purpose tool, asserting that it features significant improvements regarding its rate of encryption.

To substantiate its claim, the gang apparently trialled versions of numerous ransomware excerpts and posted the exact speed measurements for file encryption online. At the same time as rolling out LockBit 2.0, the cybercriminal outfit also announced that it was initiating a new recruitment session to enlist affiliates, highlighting that its encryption method had not failed since its operations began back in September 2019.

The gang’s notice to interested parties boasted that it had the fastest malicious encryption available worldwide, and it added:

“The only thing you have to do is to get access to the core server, while LockBit 2.0 will do all the rest. The launch is realised on all devices of the domain network in case of administrator rights on the domain controller.”

This new move from the LockBit ransomware gang comes after its failed attempts back in late May to reinstate ransomware topics back on certain Russian-speaking forums by suggesting a private section be developed, for use only by entities it referred to as “authoritative users, in whom there is no doubt”.

Although it was an idea appreciated by other forum users, it was also suggested that the subject of ransomware is now better well known than the ISIS terrorist group and could potentially attract unwanted attention from the authorities to the hacker forum.

New ransomware gang follows LockBit approach

Another group, possibly imitating the seasoned LockBit ransomware gang’s recent method of self-promotion, is Himalaya. The newly formed operation became active this year and has recently started promoting its ransomware as a service solution via its dedicated website.

Like many other ransomware gangs, Himalaya offers a 70 per cent commission for its affiliates. but has strict rules regarding chosen victims. It forbids ransomware attacks against members of the public, not-for-profit organisations and facilities providing services in the healthcare sector.

Not all malicious operators using ransomware attacks are as public in their advertisements when searching for suitable partners to work with. The renowned REvil ransomware gang, for example, operates under the radar with maximum discretion. When new affiliates are required, recruitment efforts use existing partners as a channel to get the word around.

This wasn’t always the case, but after being banned from a hacker forum this year, the gang announced it would be conducting its activities more privately.

Experts anticipate that if the LockBit and Himalaya ransomware gang’s new tactics prove effective in enlisting affiliates, other threat operators are likely to adopt the same strategy to reap the rewards.