Russian Ransomware Gangs Might be Collaborating with Chinese Hackers
The Hackers Are Apparently Looking to Collaborate with Chinese Threat Actors.
Last updated on November 18, 2021
RAMP is a Russian-language forum that debuted in July 2021 and has drawn a lot of interest from researchers and cybercriminals alike.
The forum was created on the same domain that previously housed the Babuk ransomware data leak site and then the Payload.bin data leak site.
The RAMP hacking community, which encourages Mandarin-speaking actors to join in talks, share suggestions, and coordinate on assaults, is where these attempts to attract Chinese threat actors are most visible.
High-ranking users and RAMP administrators are now actively attempting to connect with new forum members in machine-translated Chinese, according to a new investigation by Flashpoint.
According to reports, the forum has received at least thirty new user registrations from China, indicating that this may be the start of something significant.
What Is Happening?
It appears that Russian ransomware gangs are seeking to form partnerships with Chinese players in order to undertake cyber-attacks against American targets, exchange vulnerabilities, or even recruit fresh talent for their Ransomware-as-a-Service (RaaS) operations.
According to BleepingComputer, the project was begun by Kajit, a RAMP administrator who claims to have spent time in China and speaks the language.
In October, an XSS user replied to a thread with a Chinese-language ad looking for partners in a ransomware operation. Furthermore, in the wake of BlackMatter’s shutdown, the spokesperson of LockBit invited BlackMatter’s affiliates to move to China where the LockBit spokesperson claimed to be residing.
In the screenshot below, XSS user “hoffman” greets two forum members who revealed themselves as Chinese. The threat actor asks them if they could provide information about ransomware and purchasing various kinds of system vulnerabilities. The language seems to be machine-translated Chinese.
According to RAMP administrators, there are about 30 users of Chinese origin on the forum thus far. However, apart from the Chinese-language forum headings, there is no notable presence from Chinese-language threat actors. Admins promised to add content for Chinese users soon.
Notably, RAMP administrators no longer require proof of membership on Exploit and XSS—two other top-tier Russian-language illicit forums—to approve registration.
Last month, ‘Orange’ or ‘boriselcin,’ a RAMP admin who operated the “Groove” site, issued a message encouraging threat actors to strike the United States, but later on, the Groove actor stated that the operation was staged from the start in order to troll and influence the media and security experts.
As a result of the RAMP admin’s previous behavior, we should be skeptical of everything they say.
Dora is a digital marketing specialist within Heimdal™ Security. She is a content creator at heart - always curious about technology and passionate about finding out everything there is to know about cybersecurity.