Furthermore, the activity of ransomware gangs in Russian Dark Web hacking forums, where they advertise their affiliates programs, also indicates this direction. Ransomware affiliates programs usually works as follows: the ransomware developers provide the affiliates with the malware, and the affiliates are responsible for distributing and infecting the victims with the ransomware. Then, the affiliates receive a share of the profits for every victim that pays the ransom 14 . For example, since March 2020, the NetWalker ransomware gang (the fifth most active ransomware strain by the number of victims, according to our analysis) has been advertising its affiliates program on Russian Dark Web hacking forums. In their ads, they specifically note they are interested “only in experienced, Russian-speaking” affiliates 15 . NetWalker appears to have followed the footsteps of the REvil gang (also known as Sodinokibi), who has been advertising their affiliates program on the Russian underground even before NetWalker, since at least as early as June 2019 16 (although the data exfiltration tactic was only adopted by the group later). Another example is the Darkside ransomware gang, who reportedly started advertising their own affiliates program on prominent Russian Dark Web hacking forums in November 2020 17 . 17. 16. 15. 14. https://www.bankinfosecurity.com/sodinokibi-ransomware-gang-appears-to-be-making-killing-a-13269 https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/ https://threatpost.com/netwalker-ransomware-gang-top-notch-affiliates/155946/ https://www.bleepingcomputer.com/news/security/dozens-of-ransomware-gangs-partner-with-hackers-to-extort-victims/ Screenshot of an advertisement of the NetWalker ransomware gang on Russian Dark Web forum Screenshot of an advertisement of the REvil ransomware gang on Russian Dark Web forum 14 | The Ransomware Landscape