- Confidential and Proprietary - Luminar Annual Threat Landscape Report Page 16 explain why they had shut down their operations, the admins of Cannazon admitted they had closed the marketplace due to repeated distributed denial-of-service (DDoS) attacks. 38 The recent rise in ransomwares operations’ use of Telegram might be a countermeasure against DDoS attacks that had been monitored starting August 2022. The DDoS attacks were designed to interrupt the gangs' activities, preventing them from publishing victims' data and were most likely performed by rival extortion crews and government agencies. The attacks affected a wide range of groups, including LockBit, ALPHV (aka BlackCat), Quantum, LV, Hive, Everest, BianLian, Yanluowang, Snatch, and Lorenz. The ransomware leak sites were affected by connectivity issues and continued to face intermittent outages, including frequent disconnects and unreachable hosts, suggesting that this was part of a sustained effort to thwart updates to those sites. These incidents are believed to encourage threat groups to relocate their servers and services to a more distributed infrastructure, thus maintaining accessibility. 39 4.1.3 Platform Restrictions Underground forums are usually owned by individual criminals or criminal groups. This ownership component, combined with the community features of the forums, require them to have strict rules that are constantly enforced. Rules are set by the forums’ admins and enforced by the forums’ moderators. Members of such forums are thus required to follow the admins’ rules if they wish to remain active on those forums, even if they do not agree with them or have opposite interests. For instance, on May 2021, two major Russian-language hacking forums announced their decision to ban ads published by ransomware gangs in the wake of high-profile attacks which resulted in unwanted scrutiny from the US government. 40 This emphasizes the restrictions that apply to forum users due to their nature. Due to this regulation, at least two ransomware groups posted announcements to recruit affiliates, which were traditionally published on forums, on their Dark Web data leak websites instead. 41 In this case, the ban and the restitutions were a result of the fear of possible implications due to US pressure. However, since admins ultimately control these platforms, this example emphasizes the great power they possess over all users and vendors. 4.2 Telegram-related Factors Based on Telegram’s features and the continues rise in its popularity, it seems that threat actors have many motives as to why it is preferred over the Dark Web platforms discussed above. Telegram is 38 https://therecord.media/dark-web-marketplace-torrez-shuts-down/ 39 https://www.darkreading.com/threat-intelligence/lockbit-alphv-ransomware-gang-leak-sites-ddos-attacks 40 https://www.cyberscoop.com/colonial-pipeline-ransomware-xss-criminal/ 41 https://securityintelligence.com/news/ransomware-gangs-using-data-leak-sites-new-affiliates/