Russian cybercrime forum XSS claims to ban ransomware following Colonial Pipeline hack

There's newfound pressure on ransomware operators.
In an aerial view, fuel holding tanks are seen at Colonial Pipeline's Dorsey Junction Station on May 13, 2021 in Washington, DC. The Colonial Pipeline has returned to operations following a cyberattack that disrupted gas supply for the eastern U.S. for days. (Photo by Drew Angerer/Getty Images)

In the wake of the disruption to Colonial Pipeline, a popular Russian-language criminal forum has claimed it will ban the sale of ransomware tools, according to multiple researchers who monitor the site.

XSS, a prominent underground forum for hacking tools and other scams, on May 13 said the platform would forbid “ransomware sales, ransomware rental and ransomware affiliate programs,” according to the threat intelligence firm Digital Shadows. The XSS administrator also claimed it would remove all posts mentioning ransomware.

The forum post claimed it was because ransomware was attracting too much “hype” and attention from outsiders, but ransomware operators frequently engage in self-serving public relations stunts.

The development pointed to newfound pressure that ransomware operators were feeling following the breach of the IT systems at Colonial Pipeline, the main artery for delivering fuel to the East Coast. The ransomware incident forced Colonial Pipeline to shut down for days. Though service is being gradually restored, the disruption led to concerns over gasoline-hoarding and price-gouging, and to emergency orders from federal agencies to alleviate any fuel shortages.


The FBI has blamed DarkSide, a strain of ransomware tied to Russian-speaking scammers that emerged in August 2020, for the disruption. President Joe Biden has pledged to take action against the hackers and has not ruled out a retaliatory cyberattack.

DarkSide is both the name of the ransomware and the hacker syndicate that develops the code and sells it to other groups. The website that DarkSide uses to shame victims into paying ransoms was offline on Friday, though what exactly was happening with the group was unclear.

An underground forum post from DarkSide claimed that the group had lost access to some of its infrastructure, and that it was closing its “affiliate program,” according to the threat intelligence firm Intel 471. DarkSide also said it would provide decryption keys to any targets from which it had demanded ransom by May 23, according to the post. CyberScoop was unable to verify the authenticity of the post, and statements from cybercriminals are notoriously unreliable.

Other investigators were reluctant to draw any definitive conclusions from the underground chatter.

“We have not independently validated these claims and there is some speculation by other actors that this could be an exit scam,” said Kimberly Goody, senior manager of financial crime analysis at Mandiant Threat Intelligence.


Spokespeople for the National Security Council and the FBI declined to comment when asked if any disruption to DarkSide operations was the result of U.S. action.

“We don’t know the full story that happened in the past 24 hours,” said Dmitry Smilyanets, an analyst at threat intelligence firm Recorded Future who closely tracks DarkSide. “It is hard to predict what happens next, but usually, [cybercriminals like DarkSide] do damage control, wait, rebrand, and start all over again.”

Ransomware has vaulted to the forefront of U.S. cybersecurity concerns as health care organizations, manufacturers and other critical infrastructure have experienced disruptions during the pandemic. Ransomware payments from victims increased by 311% in 2020 to reach nearly $350 million in cryptocurrency, according to Chainalysis, a firm that traces blockchain payments.

The Biden administration has been under increasing pressure to put a dent in the ransomware scourge, and has announced multiple law enforcement and cybersecurity initiatives to do so.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts