Indications that the Russian-language ransomware forum is warming to English and Mandarin-speaking threat actors.
There has been an increase in recent weeks of Mandarin and Chinese-speaking threat actors on RAMP as well as other illicit communities across the deep and dark web.
There are indications that the Russian-language ransomware forum is warming to English- and Mandarin-speaking threat actors. However, these clues, outlined below, may represent a social engineering experiment aimed at manipulating the media, à la Groove.
According to Flashpoint, it has observed an increase in recent weeks of Mandarin and Chinese-speaking threat actors on RAMP as well as other illicit communities across the deep and dark web.
There are indications that the Russian-language ransomware forum is warming to English and Mandarin-speaking threat actors. However, these clues may represent a social engineering experiment aimed at manipulating the media.
In October, RAMP administrators made changes to the forum’s interface that make it more accessible to Chinese-speaking and English-speaking threat actors. RAMP forum sections are now in Russian, English, and Mandarin; the main administrator is addressing members in English more often than before; and there is noticeably more English content and comments – and even coming from some Russian-speaking actors.
In the screenshot below, user ‘hoffman’ greets two forum members who revealed themselves as Chinese. The threat actor asks them if they could provide information about ransomware and purchasing various kinds of system vulnerabilities. The language seems to be machine-translated Chinese.
While it is possible that Russian-speaking ransomware operators may be seeking alliances outside of Russia—cooperative cybersecurity talks with the U.S. are currently underway—it remains unclear whether RAMP efforts to woo Chinese-speaking threat actors are in fact legitimate or simply a smokescreen.
In October, an XSS user replied to a thread with a Chinese-language ad looking for partners in a ransomware operation. Furthermore, in the wake of BlackMatter’s shutdown, the spokesperson of LockBit invited BlackMatter’s affiliates to move to China where the LockBit spokesperson claimed to be residing.
In the screenshot below, XSS user “hoffman” greets two forum members who revealed themselves as Chinese. The threat actor asks them if they could provide information about ransomware and purchasing various kinds of system vulnerabilities. The language seems to be machine-translated Chinese.
Tags: FlashpointRAMPRansomware
