Researchers have uncovered a new cybercriminal trend where Russian hackers are running contests on cybercriminal forums, such as Exploit and XSS, with increasingly high-stakes prizes. 

According to Digital Shadows researchers, these forum-based contests are not exactly new, but prize values have recently increased as major hacking teams, such as Sodinokibi (aka REvil), are signing on to sponsor such competitions.   

Digital Shadows’ research indicates that hacking groups like Sodinokibi have taken interest in these competitions to foster technical skills among forum members, increase awareness of the availability of ransomware on the forum (potentially increasing their sales) and gain valuable intelligence they could use for future malware development.

"Cybercriminal forums need to attract and retain members in order to survive, and being able to present a site as a valuable repository of articles discussing pertinent cybercriminal issues is a real draw. Articles competitions raise the level of collective expertise on the forum, thus increasing the site’s objective “value” as a hacking resource," say the researchers in a blog.

"Articles competitions may also encourage trading in the subjects discussed in the pieces, which in turn benefits the site via earned commission. Finally, fostering a sense of community is an important part of competitions that should not be overlooked: Forums with the strongest feelings of togetherness tend to be the most disciplined, which in turn leads to a better user experience for all involved," notes the researchers. 

According to Digital Shadows, in December 2019 the XSS administrator announced a third annual forum articles competition. Accepted topics for original articles included (translated from Russian):

• “Searching for 0day and 1day vulnerabilities. Developing exploits for them
• APT attacks. Hacking LAN, elevating rights, hijacking domain controller, attack development
• Interesting combinations, algorithms. Writing your own crypto algorithms and hacking other people’s
• Innovative functionality, reviews, analysis of interesting algorithms that are used, development prospects
• Forensics. Digital forensics. Software, tricks, methods” 

At the end of the competition announcement, say the researchers, the administrator revealed that the competition had been sponsored and funded by the Sodinokibi (aka REvil) ransomware team, which has representatives on the forum. The finalist would also win the opportunity to “work with” the Sodinokibi team under “mutually beneficial conditions."

Researchers note that by sponsoring a competition in which forum users pen articles on topics related to ransomware, the Sodinokibi team can increase awareness of ransomware on the forum (thus potentially increasing their sales) and perhaps gain valuable intelligence they could use in their future malware development. "If competition entries do increase for this event, it may be that in the coming months more cybercriminals will come to realize the advantageous cost-benefit calculation associated with organizing a forum competition and that similar competitions will become more frequent. It appears that, after a slow start, the forum competition in some form or another is here to stay," conclude the researchers. 

Alex Guirakhoo, Strategy and Research Analyst at Digital Shadows, and one of the authors of the blog, says that it is possible that other cybercriminal groups are sponsoring similar competitions. "The article themes posed by the Sodinokibi team on XSS are incredibly specific; these types of forum competitions can be a way for cybercriminals to effectively crowdsource new TTPs, which they can then incorporate into their attacks. In Sodinokibi’s case, they also offered what effectively amounts to a kind of “cybercriminal internship” to the competition winner."

"In addition to the forums themselves benefiting from increasing their level of exposure and user expertise, cybercriminal groups may also use these to poach new members," Guirakhoo says. "The combination of additional cybercrime membership and heightened technical capabilities can increase the overall threat posed by such cybercriminal organizations to the businesses and consumers who end up being targeted by their attacks.”

For the full blog, please visit Digital Shadows.