With the recent shutdown of another prominent dark web market, the ransomware supply chain faced disruption.
After the fall of Silk Road back in 2013, Dream Market was one of the major remaining darknet markets for illicit products and services.
In late-March, Dream's admins announced they would be shutting down the site and transferring services to a "partner company."
Vendors and customers are now taking their business elsewhere, for fear of a possible law enforcement takedown.
Meanwhile, communications between hackers and their ransomware victims have ended because malware operators rushed to disconnect and delete accounts linked to Dream Market.
Panic Among the Dream Market Users
The moderators behind Dream Market announced the shutdown the same day as DEA, Europol and FBI officials announced 61 arrests linked to drug trafficking on the dark web.
Both announcements scared darknet market users to cover their tracks in order not to be connected to Dream Market in any way.
Many in the community are concerned about a possible honeypot operation, whereby law enforcement agencies quietly gain control over a market, observe users' behavior, gather evidence of their activities and round up suspects in one major bust.
This is exactly what happened two years ago with Hansa Market. Before Hansa Market was seized in July 2017, Dutch police quietly ran the marketplace for a month, with the intent to collect as much incriminating evidence as possible.
It is now speculated that maybe the law enforcement did actually run Dream Market's website before its shutdown was announced a few weeks ago.
In January 2019, with the takedown of xDedic market, it was theorized that the police actually seized users' account credentials in order to gain access to email accounts and build profiles on the market's participants.
With the shutdown of Dream Market, other top markets such as Wall Street Market and Tochka Market are expected to become the next go-to destination for the darknet community.
Ransomware Distributors Try to Rescue the Disrupted Ransom Extortions
With the abandon of email addresses, the communications between ransomware victims and the distributors went silent.
Many active extortion negotiations never really ended, so the distributors thought of creative ways to save the disrupted extortion campaigns.
A new report by ransomware incident response firm Coveware gives some insight into how exactly this development is unfolding.
With a message like the one below, many ransomware operators reached out to ransomware incident firms.
This was done in an attempt to recover the ransom payments that were previously made.
Following this example, we can see that the operator from the distribution group Dharma that already used the @qq.com handle, the purchase of Google Ads is advised.
According to this message, this would help to attract the abandoned victims that may look for help online.
However, by searching on Google, it was found that no firm has taken the offer that was suggested in the email.