{
	"id": "0ef6159b-0f6d-404e-8eeb-1b165eaf1cc4",
	"created_at": "2026-04-06T00:16:32.84374Z",
	"updated_at": "2026-04-10T03:21:11.886095Z",
	"deleted_at": null,
	"sha1_hash": "c04bf2d76f1e89912d4abd6430dce6cd3afd87e3",
	"title": "W4 May | EN | Story of the week: Ransomware on the Darkweb",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1800142,
	"plain_text": "W4 May | EN | Story of the week: Ransomware on the Darkweb\r\nBy Hyunmin Suh\r\nPublished: 2021-05-25 · Archived: 2026-04-05 14:57:25 UTC\r\nAn Unwanted Guest\r\nCo-Author:\r\n, @ Talon\r\nPress enter or click to view image in full size\r\nSoW (Story of the Week) publishes a report summarizing ransomware’s activity on the Darkweb. The\r\nreport includes summary of victimized firms, Top 5 targeted countries and industrial sectors, status of\r\ndark web forum posts by ransomware operators, etc.\r\nExecutive Summary\r\nOn May 13th, the notorious Russian hacking forum XSS banned all ransomware promoting posts and operators’\r\naccounts. It was Darkside ransomware’s colonial pipeline infection that triggered this incident.\r\nAs the U.S. government and FBI narrowed down the investigation, the Darkside ransomware operation server was\r\ntaken down, and even the Russian hacking forums announced that they are banning and deleting all the posts\r\nrelated to ransomware activity. Three biggest hacking forums, starting with XSS Forum, Exploit, and Raidforums,\r\nhttps://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f\r\nPage 1 of 10\n\nall halted ransomware operators’ activity, and of course, there were many disappointing posts from the\r\nransomware operators regarding such decisions made by administrator. Most of active accounts such as REvil,\r\nLockbit, and Avaddon have announced that they will either stop their activities in the forum or move out to their\r\nown independent platform.\r\nThen, where will they go? Let’s see what will happen after the consequence of banning ransomware activity in all\r\nforums.\r\n1. Weekly Status\r\nA. Status of the victimized firms (5/17 ~ 5/24)\r\nPress enter or click to view image in full size\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f\r\nPage 2 of 10\n\nFor a week, a total of 67 victimized firms were mentioned and a change in the state of the data leaked from\r\nthe victims in the ransomware site was detected\r\n10 threat groups’ activities were detected\r\nB. TOP 5 targeted countries\r\nhttps://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f\r\nPage 3 of 10\n\n1. United States — 44.6%\r\n2. Germany — 10.8%\r\n3. United Kingdoms — 6.2%\r\n4. Italy — 6.2%\r\n5. Australia — 4.6%\r\nC. TOP 5 targeted industrial sectors\r\n1. Industrials — 13.8%\r\n2. Services — 12.3%\r\nhttps://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f\r\nPage 4 of 10\n\n3. Transportation — 10.8%\r\n4. Health Care — 7.7%\r\n5. Technology — 6.2%\r\n2. Status of active Ransomware forum posts @Dark Web\r\nA. XSS Forum\r\nPress enter or click to view image in full size\r\nOn May 13th, the administrator of the XSS Forum announced that ransomware-related content is no longer\r\nallowed. In particular, it will be limited to the following contents.\r\n- Ransomware affiliate programs;\r\n- Ransomware rental;\r\n- sale of lockers (ransomware software);\r\nIn other words, ransomware affiliate program cannot be promoted for partner recruitment, and any forms of\r\nselling Ransomware-as-a-Service (RaaS) or ransomware software itself is prohibited.\r\nGet Hyunmin Suh’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nhttps://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f\r\nPage 5 of 10\n\nObviously, the administrator’s announcement shocked the ransomware operators who were currently running. For\r\nexample, the LockBit ransomware operator seems to have felt a kind of betrayal with the comment “Suddenly”.\r\nPress enter or click to view image in full size\r\nShortly after this announcement from XSS forum, the administrator of Exploit and Raidforums announced the\r\nsame rules about banning ransomware-related posts.\r\nB. Exploit \u0026 Raidforums\r\nPress enter or click to view image in full size\r\n2021.05.14 Raidforums posts that will not allow ransomware related content\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f\r\nPage 6 of 10\n\n2021.05.15 Exploit forum posts that will not allow ransomware related content\r\n3. Ransomware operators’ next move\r\nA. Revil (Sodinokibi)\r\nPress enter or click to view image in full size\r\nDue to the change in the policy of the administrator of XSS forum, REvil also declared retirement in\r\nExploit and will switch to a private platform\r\nB. Babuk\r\nPress enter or click to view image in full size\r\nhttps://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f\r\nPage 7 of 10\n\nSource: Bleeping Computer (https://www.bleepingcomputer.com/news/security/babuk-ransomware-readies-shut-down-post-plans-to-open-source-malware/)\r\n2021.04.29 Bleeping computer reported that Babuk ransomware would close the BABUK project and\r\nrelease the source code to the outside by leaving a note titled ‘Hello World 2’\r\nPress enter or click to view image in full size\r\nI not so long ago wrote about the closure of babuk, yes, you all correctly understood babuk as a RaaS\r\nWe are a young project and everyone already knows about us, during this time we have gone ahead of ot\r\nBabuk changes direction, we no longer encrypt information on networks, we will get to you and take yo\r\nhttps://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f\r\nPage 8 of 10\n\nAlso for other groups that do not have their own blog or have but they want to exert additional press\r\nWe are open to offers in tox: ****Sanitized by S2W LAB\r\nHowever just a day after, Babuk reappeared with a post titled ‘Hello World 3’ saying that it will no longer\r\nfocus on data encryption but rather exfiltrating data.\r\nIt also states that other ransomware groups either do not have a data leak site or have but they want to exert\r\nadditional pressure, shall not work with Babuk.\r\nPress enter or click to view image in full size\r\nHello! We announce the development of something really cool, a huge platform for independent leaks, w\r\nAnother loud leak awaits you within a week.\r\nAfter that, in ‘Hello World 4’, Babuk is planning a huge platform for data leakage, and it is stated that\r\nransomware groups that do not operate their own data leakage sites will join together.\r\nA huge leak will happen very soon (they mentioned a week or soon)\r\nConclusion\r\nMost of renowned hacking forums banned ransomware-related content, but the number of victimized firms was\r\nnot significantly reduced.\r\nOperators who have been kicked out of forums are likely to switch to their own platform and additional\r\nransomware groups that do not operate leak sites will likely join the crews.\r\nSuch sanctions against ransomware operators are just temporary, and this does not mean any termination or\r\ndownfall of ransomware gangs, so we strongly recommend never let loose the guard.\r\nhttps://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f\r\nPage 9 of 10\n\nHomepage: https://www.s2wlab.com\r\nFacebook https://www.facebook.com/S2WLAB/\r\nTwitter https://twitter.com/s2wlab\r\nSource: https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f\r\nhttps://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f"
	],
	"report_names": [
		"w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f"
	],
	"threat_actors": [],
	"ts_created_at": 1775434592,
	"ts_updated_at": 1775791271,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c04bf2d76f1e89912d4abd6430dce6cd3afd87e3.pdf",
		"text": "https://archive.orkl.eu/c04bf2d76f1e89912d4abd6430dce6cd3afd87e3.txt",
		"img": "https://archive.orkl.eu/c04bf2d76f1e89912d4abd6430dce6cd3afd87e3.jpg"
	}
}