Connect with us


Rob Kostich interview: After 400 million Call of Duty games sold, Activision still has big plans ahead



Rob Kostich interview: After 400 million Call of Duty games sold, Activision still has big plans ahead

Join GamesBeat Summit 2021 this April 28-29. Register for a free or VIP pass today.

The Call of Duty franchise is one of the strongest in video games, with more than 400 million copies sold to date.

Call of Duty: Warzone and Call of Duty: Black Ops — Cold War are moving to Season 3‘s new content today, and that gave us a reason to catch up with the boss, Rob Kostich. He’s the president of Activision Publishing and the head of the Call of Duty franchise.

There have been 19 different Call of Duty games since 2003, if you count both the free-to-play battle royale Warzone, which has been downloaded 100 million times, and Call of Duty: Mobile, which has been downloaded 300 million times. The franchise isn’t fatigued yet, and it has made it through some difficult times, such as the departure of its founding developers as Call of Duty went multi-studio development. It made the leap to free-to-play and its premium version is still selling extraordinarily well.

I’ve long wondered what Activision’s vision and strategy are for the franchise. I got some answers from Kostich. He’s been thinking about the metaverse, the universe of virtual worlds that are all interconnected, like in novels such as Snow Crash and Ready Player One. And he’s been contemplating how to get us to come back to some part of Call of Duty, whether it’s Warzone or a mobile platform, every day of the year.

Next week, I’ll be interviewing his boss, Activision Blizzard CEO Bobby Kotick onstage at our GamesBeat Summit 2021 event.

Here’s an edited transcript of our interview.

Above: Rob Kostich is president of Activion and head of Call of Duty.

Image Credit: Activision

GamesBeat: It seems like there’s been both deliberate and accidental steps in the evolution of Call of Duty. Zombies became this second or third experience that comes with the game. You had multiple studios launching the game, alternating every year. Then you had Warzone running year round, and Call of Duty Mobile. How do you look at what’s deliberate and what’s opportunistic in that evolution?

Rob Kostich: We’ve been planning this a lot over the last few years. The one thing we started with, we had the premium business coming out every fall with Call of Duty. We wanted to do a lot of things, and one thing we saw was continuing to pull our community closer together. That happened when, before Modern Warfare launched, we started announcing cross-progression, cross-play, new season pass, changing our monetization system. Everything we can do to bring everyone together and provide free content to our fans at the same time. The big thing we wanted to do was get the community together and get them having fun.

Warzone was the thing that was transformational to all of it. Certainly not everyone on the planet has the ability to pay $60 or the equivalent to play Call of Duty. For my money, Call of Duty is the best moment to moment action experience there is. Warzone has allowed everyone to come in and experience Call of Duty. Now it’s become the focal point, the central point, the welcome mat if you will for the franchise as we go forward.

What’s important to us is we give all of our fans an incredible fun experience with Call of Duty, whether you’re free-to-play or premium, whoever you are. In Warzone that’s the first entry point, where you’ll experience the latest and greatest the franchise has to offer. You’ll go on a narrative journey with us through time. It’s the thing that’s transformed our business. It’s made our players more excited about our premium offerings as well. They get engaged in Call of Duty, all it has to offer across Zombies and everything else.

You mentioned mobile as well. Mobile’s been an incredible way–you’ve seen the headlines, where we’ve scaled to more than 300 million downloads. We have a nice scale on that business, and now we’re also launching in China. We’ve been able to tap into new audiences unlike ever before with the franchise. What’s fascinating is–I’ve certainly been around a long time, and it’s crazy. We launched the first Call of Duty in 2003. The franchise has never been bigger, been more relevant, and impacted more people in a positive way. We’re thrilled and excited about the prospects ahead of us as we continue to evolve the franchise for our community.

GamesBeat: What else is there to do for the franchise, and how do you structure the teams going forward to do that? It seems a lot more complex than just three studios trading off each year now. You have different studios doing different pieces, like multiplayer or Zombies. How does that structure look now?

Kostich: From a structure standpoint, one of the most important things for us–we have incredible development teams. As you know, in the creative process, wanting to keep these guys accountable and passionate about the things they work on–I can tell you one thing. They’re so passionate, whether they’re working on the premium games or Warzone, and how that’s impacted the community in such a positive way.

When we launched Warzone, that was launched in partnership with Infinity Ward and Raven. Raven is now taking over Warzone in terms of live ops as we move this thing forward into the future. They’ve done an amazing job. All of our studios are collaborating and participating in that process to make sure we do this in the right way going forward, integrating our offerings together in a way that the community is excited about.

Probably the greatest news for me is I’ve never seen our studios working together better than at this point in time. They’re super collaborative. They love the opportunity. They see how people are enjoying Warzone and everything we’re doing with Call of Duty. It’s been an awesome experience for the last 12 to 18 months, how our studios have come together and are charting the course for the future of Call of Duty right now.

GamesBeat: I hear there’s something like 2,000 people working on Call of Duty. That sounds very impressive, but it also sounds like you need more.

Kostich: I don’t know if we’ve actually disclosed a total number. But we have a very big team on this. What I’ll say is that we are hiring as we move into the future. We have so many opportunities in front of us. Most of our studios are hiring very aggressively right now. In particular, we’re hiring on the mobile front. As you know, on the world’s biggest platform, I think we have incredible opportunities to expand our franchise in even greater ways. We’re hiring across console and PC development. We’re hiring across mobile development. Our opportunities are bigger than they’ve ever been, and I mean that in terms of the community and the great experiences that we can provide them as we move forward.

Dean Takahashi's Warzone report: Not very impressive, but points for persevering.

Above: Dean Takahashi’s Warzone report: Not very impressive, but points for persevering.

Image Credit: Activision/Twitter

GamesBeat: When you think about the most successful games in the past, people talk about market share, but it seems like what’s happening here is you’re getting a bigger share of time. How do you get people to come back to Call of Duty every day, rather than just every fall?

Kostich: We’ve gotten a bit of a crash course in that the last year, year and a half or so, across what we’re doing in mobile, what we’re doing in console and PC as well. It’s pretty simple. We need to surprise and delight our community. We have to provide them with new ways to play, new experiences. With season three I think we’re doing a fun thing right now as we transition out of season two, into Rebirth Island in the middle as launch into season three. We’re providing new play spaces, new ways to play.

Our focus is continuing, in terms of Warzone, to push the battle royale genre forward in every way possible for our community. That’s what’s going to keep them coming back. Across our free-to-play and premium experiences, we need to keep pushing forward for our community. They deserve it. That’s what our development team is 100 percent committed to doing. For Warzone in particular we have plans years into the future now for the things we have to do. We’ve been thinking hard about this. We know how important it is to our fans. Our team is super excited to deliver on that for the community.

GamesBeat: Do you think fans would go for a Call of Duty metaverse?

Kostich: The opportunity is there for sure. Within Warzone we probably have more flexibility to explore things like that than ever before. We’re already starting to mix universes a bit. Most important, at its core, is that we provide an incredible Call of Duty experience to our fans, which we will absolutely do. There’s a lot of fun narrative things we can do over time now in the Call of Duty metaverse and how that evolves over the next few years.

GamesBeat: You’ve been quiet about the next Call of Duty. Are you shifting toward announcements later in the year for the new games? Last year was also fairly late in the cycle as far as revelations go.

Kostich: We’re probably shifting a bit more in that direction. Most of the reason is–you’ve seen what we have in season three this week. We have so much to talk about and so much going on that’s happening this week. We want to focus on that with the community, focus on the journey with them. Also, as you saw last year, we did some cool things in terms of integrating the reveal of Black Ops into Warzone. Those are the things we want to orchestrate and provide to our community, letting them discover Call of Duty themselves in their play experience. That part’s been fun for us and our development teams. Marketing is changing within Call of Duty, how we get the community to participate and uncover things for us. It might be happening later, but it’s all part of a broader agenda to bring the community along on a fun journey.

Action in Call of Duty: Black Ops -- Cold War multiplayer.

Above: Action in Call of Duty: Black Ops — Cold War multiplayer.

Image Credit: Activision

GamesBeat: Can you explain a bit of what it’s like behind the scenes in responding to something like Warzone’s success? It seems like there’s a period of time when the success is so surprising that you have to come up with contingency plans, changing the direction to take advantage of opportunities. At some point you become caught up with it. How has that process happened in the past year? Do you feel like you’re caught up now?

Kostich: I don’t think anyone’s going to ever rest on their laurels or feel caught up. For us it’s just always the pursuit of what else we can do for our fans. To your question, I think we have a good sense of how to operate. When we first launched this thing, we launched seasons. We’re getting smarter with seasons. You’ll see that evolve for us even further in terms of how we navigate through seasons, how we end one and begin another, what we do in the mid-season, how we surprise people throughout. We’re going to get even better on that front for the fans.

That part feels good. We need to hire more resources, but we’re just continuing to focus on innovating, pushing the genre forward, and providing incredible new play experiences for the community.

GamesBeat: How do you deal with things like the differences between the studios? Different game engines, different time frames they focus on. Then all of a sudden in Warzone you’re going to put everything in there. It seems like you may have to shoehorn things that may or may not fit.

Kostich: We’ve been very focused on that in particular. One of the most important concepts for us is to make sure we limit any friction for our community as we go forward. What that means behind the scenes is making sure that from a technology perspective, everything feels seamless to the player. That’s a big focus for us as we move forward, so that as you transition from one experience to the next, as new weapons come in and out of the game, it feels like a solid, continuous play experience that evolves into the future. That’s also come from our development teams working together to make that–as you swap in and out from Warzone or a premium experience in the future, it’s seamless for our community. It’s been another passionate point for our team, to make sure we can provide the best experience possible for our fans as we go forward.

On the narrative front, the Call of Duty universe is super rich with everything we can do. That’s the fun part, taking people on that journey as we move it into the future.

Season Three for Warzone and Black Ops Cold War multiplayer is upon us.

Above: Season Three for Warzone and Black Ops Cold War multiplayer is upon us.

Image Credit: Activision

GamesBeat: It feels like putting Zombies into Warzone–it does tie narratives together. It seems like it might be tough to do that every year, though, to tie narratives together so closely that it’s almost one game with one narrative. Whereas before, some of the freshness came to the franchise because there were different branches going in very different directions. How do you balance some of that? Some players might want something totally different, like World War II or Infinite Warfare, those very different directions.

Kostich: They can be very different. The interesting part about Warzone is that we can, from an event perspective, bring stuff in and out of Warzone to keep it fresh, provide a new experience, and transition to new things. There’s no rule set that says we have to transition to Zombies once and they forever stay. Zombies may come in and out of Warzone. Other events might come in and out of Warzone. We might have special play experiences for our fans as we transition from one place to the other. That’s the real fun part. That’s where the flexibility is for us. The Call of Duty universe is so rich in content and its history of eras and stories and things we do. We think that provides an incredible platform for new, fresh experiences within the Warzone environment for our players.

As I mentioned before, Warzone being the central point of things going on, people understand all the great things that are happening in the franchise. If they want to get a deeper experience with a certain aspect of Call of Duty, we have those premium experiences, which will differ. You’re very familiar with the franchise. You know how they differ very well. They tug a lot of different strings, whether you’re playing Modern Warfare or Black Ops or something historical. It’s great to get those experiences, but we can take parts of those and fuse them into Warzone in the longer term or for a limited time, making that fun and interesting for the community.

GamesBeat: You have a very strong rumor community. There’s a certain group that trades and thrives on that process. What can you do about setting the record straight or otherwise communicating more in that kind of environment? I’ve heard things like, “The guns come out overpowered and then they get nerfed, because that causes people to come back to the new season and pay more.” “Activision doesn’t care about stopping cheaters.” “Activision doesn’t care about file size.” There’s almost a conspiracy theory approach to everything that happens around the game. How do you channel that in a better direction?

Verdansk, the home of Warzone, has been visited by 100 million players. Not so many have come out alive.

Above: Verdansk, the home of Warzone, has been visited by 100 million players. Not so many have come out alive.

Image Credit: Activision

Kostich: There’s two parts to that. One is communication and the other is action. We’ll continue to do a better and better job of communicating with the community very frequently. In terms of action, to some of our points, you talk about the cheating. You’re familiar with this space. Any large-scale free-to-play game gets attacked about those not-good actors who are out there. You’ve probably seen that we’ve banned more than 475,000 accounts now. We have a dedicated security team. We’re investing more resources there to make sure we provide the best possible experience for our fans. We have to take action, and also communicate about that, which we’re going to do.

As far as other aspects of the business, it’s the same way. You talked about file size, for example. That’s an interesting one. When we launched Warzone, our goal was to make the best-looking, best-playing battle royale experience on the planet. I think we accomplished that. With that, though, there’s a bit of a file size that we recognize. We also have a team that’s continuously focused on taking down that footprint for our fans so they can better manage their inventory of games. We’re working on all the things you mentioned very aggressively on behalf of the community, and we’ll continue to do a better job of communicating with them.

As you know, it’s a very small world nowadays. News travels very fast. Sometimes it goes in weird directions for whatever reason. For us it’s about communication and action. At the bottom line, providing the best possible game imaginable for our fans. Across what we’re doing, across console and PC, across mobile, I mentioned this at the beginning, but the franchise has never been better, frankly. We’ve never had more opportunity in front of us. We’re excited, and more than anything we’re thankful for our community and their support. We’re more passionate than ever to surprise and delight them in the future.


GamesBeat’s creed when covering the game industry is “where passion meets business.” What does this mean? We want to tell you how the news matters to you — not just as a decision-maker at a game studio, but also as a fan of games. Whether you read our articles, listen to our podcasts, or watch our videos, GamesBeat will help you learn about the industry and enjoy engaging with it.

How will you do that? Membership includes access to:

  • Newsletters, such as DeanBeat
  • The wonderful, educational, and fun speakers at our events
  • Networking opportunities
  • Special members-only interviews, chats, and “open office” events with GamesBeat staff
  • Chatting with community members, GamesBeat staff, and other guests in our Discord
  • And maybe even a fun prize or two
  • Introductions to like-minded parties

Become a member

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *


Colonial Pipeline paid a $5 million ransom—and kept a vicious cycle turning



Colonial Pipeline paid a $5 million ransom—and kept a vicious cycle turning

Sean Rayford | Getty Images

Nearly a week after a ransomware attack led Colonial Pipeline to halt fuel distribution on the East Coast, reports emerged on Friday that the company paid a 75 bitcoin ransom—worth as much as $5 million, depending on the time of payment—in an attempt to restore service more quickly. And while the company was able to restart operations Wednesday night, the decision to give in to hackers’ demands will only embolden other groups going forward. Real progress against the ransomware epidemic, experts say, will require more companies to say no.

Not to say that doing so is easy. The FBI and other law enforcement groups have long discouraged ransomware victims from paying digital extortion fees, but in practice many organizations resort to paying. They either don’t have the backups and other infrastructure necessary to recover otherwise, can’t or don’t want to take the time to recover on their own, or decide that it’s cheaper to just quietly pay the ransom and move on. Ransomware groups increasingly vet their victims’ financials before springing their traps, allowing them to set the highest possible price that their victims can still potentially afford.

wired logo

In the case of Colonial Pipeline, the DarkSide ransomware group attacked the company’s business network rather than the more sensitive operational technology networks that control the pipeline. But Colonial took down its OT network as well in an attempt to contain the damage, increasing the pressure to resolve the issue and resume the flow of fuel along the East Coast. Another potential factor in the decision, first reported by Zero Day, was that the company’s billing system had been infected with ransomware, so it had no way to track fuel distribution and bill customers.

Advocates of zero tolerance for ransom payments hoped that Colonial Pipeline’s proactive shutdown was a sign that the company would refuse to pay. Reports on Wednesday indicated that the company had a plan to hold out, but numerous subsequent reports on Thursday, led by Bloomberg, confirmed that the 75 bitcoin ransom had been paid. Colonial Pipeline did not return a request for comment from WIRED about the payment. It is still unclear whether the company paid the ransom soon after the attack or days later, as fuel prices rose and lines at gas stations grew.

“I can’t say I’m surprised, but it’s certainly disappointing,” says Brett Callow, a threat analyst at antivirus company Emsisoft. “Unfortunately, it’ll help keep United States critical infrastructure providers in the crosshairs. If a sector proves to be profitable, they’ll keep on hitting it.”

In a briefing on Thursday, White House press secretary Jen Pskai emphasized in general that the US government encourages victims not to pay. Others in the administration struck a more measured note. “Colonial is a private company and we’ll defer information regarding their decision on paying a ransom to them,” said Anne Neuberger, deputy national security adviser for cyber and emerging technologies, in a press briefing on Monday. She added that ransomware victims “face a very difficult situation and they [often] have to just balance the cost-benefit when they have no choice with regards to paying a ransom.”

Researchers and policymakers have struggled to produce comprehensive guidance about ransom payments. If every victim in the world suddenly stopped paying ransoms and held firm, the attacks would quickly stop, because there would be no incentive for criminals to continue. But coordinating a mandatory boycott seems impractical, researchers say, and likely would result in more payments happening in secret. When the ransomware gang Evil Corp attacked Garmin last summer, the company paid the ransom through an intermediary. It’s not unusual for large companies to use a middleman for payment, but Garmin’s situation was particularly noteworthy because Evil Corp had been sanctioned by the US government.

“For some organizations, their business could be completely destroyed if they don’t pay the ransom,” says Katie Nickels, director of intelligence at the security firm Red Canary. “If payments aren’t allowed you’ll just see people being quieter about making the payments.”

Prolonged shutdowns of hospitals, critical infrastructure, and municipal services also threaten more than just finances. When lives are literally at stake, a principled stand against hackers quickly drops off of the priorities list. Nickels herself recently participated in a public-private effort to establish comprehensive United States–based ransomware recommendations; the group could not agree on definitive guidance about if and when to pay.

“The Ransomware Task Force discussed this extensively,” she says. “There were a lot of important things that the group came to a consensus on and payment was one where there was no consensus.”

As part of a cybersecurity Executive Order signed by President Joseph Biden on Wednesday, the Department of Homeland Security will create a Cyber Safety Review Board to investigate and debrief “significant” cyberattacks. That could at least help more payments be made in the open, giving the general public a fuller sense of the scale of the ransomware problem. But while the board has incentives to entice private organizations to participate, it may still need expanded authority from Congress to demand total transparency. Meanwhile, the payments will continue, and so will the attacks.

“You shouldn’t pay, but if you don’t have a choice and you’ll be out of business forever, you’re gonna pay,” says Adam Meyers, vice president of intelligence at the security firm CrowdStrike. “In my mind, the only thing that’s going to really drive change is organizations not getting got in the first place. When the money disappears, these guys will find some other way to make money. And then we’ll have to deal with that.”

For now, though, ransomware remains an inveterate threat. And Colonial Pipeline’s $5 million payment will only egg on cybercriminals.

This story originally appeared on

Continue Reading


Talend: 36% of business leaders don’t rely on data to make decisions



40% of business leaders still rely on gut decisions, not data.

Join Transform 2021 this July 12-16. Register for the AI event of the year.

Even as enterprise leaders tout the importance of data, 36% of business leaders don’t rely on it for making critical decisions, according to a survey by Talend, an open source data integration platform. The same survey found that 78% of business executives face challenges effectively working with data to make decisions.

Above: 40% of business leaders still rely on gut decisions, not data.

Image Credit: Talend

Our relationship with data is not healthy. Talend’s survey found only 40% of executives always trust the data they work with. For decades, managing and using data for analysis was focused on the mechanics: the collecting, cleaning, storing, and cataloging of as much data as possible, then figuring out how to use it later. Companies don’t know what data they have, where it is, or who is using it, and, critically, no way to measure their data health.

Data health is Talend’s vision of a comprehensive system for ensuring the well-being and return of corporate information. Data health offers proactive treatments, quantifiable measures, and preventive steps to identify and correct issues, ensuring that corporate data is clean, complete, and uncompromised.

Data health is a complex journey of unique requirements, regulations, and risk tolerance. It will take substantial market collaboration and research to align on appropriate standards for different companies. Eventually, data health solutions will help create a universal set of metrics to evaluate the health of corporate data and establish it as an essential indicator of the strength of a business. Talend’s initial framework imagines four primary focus areas to establish data health: reliability, visibility, understanding and value. We believe that data health will become a key, if not the most important, performance framework used within and across organizations to monitor and evaluate the health of the company. With this new data health first approach, and new standards, leaders can level the employee playing field and drive a data-charged cultural change.

From March 24th to April 8th, 2021, Talend led a survey via Qualtrics among a base of 529 independent respondents worldwide. (57% North America, 26% Asia-Pacific, 17% Europe). The respondents are all executives — with titles ranging from director to the C-suite — from medium and large companies making more than $10 million in annual revenue.

Read Talend’s full report Data Health Survey.


VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Continue Reading


Pipeline attacker Darkside suddenly goes dark—here’s what we know



Pipeline attacker Darkside suddenly goes dark—here’s what we know

Darkside—the ransomware group that disrupted gasoline distribution across a wide swath of the US this week—has gone dark, leaving it unclear if the group is ceasing, suspending, or altering its operations or is simply orchestrating an exit scam.

On Thursday, all eight of the dark web sites Darkside used to communicate with the public went down, and they remain down as of publication time. Overnight, a post attributed to Darkside claimed, without providing any evidence, that the group’s website and content distribution infrastructure had been seized by law enforcement, along with the cryptocurrency it had received from victims.

The dog ate our funds

“At the moment, these servers cannot be accessed via SSH, and the hosting panels have been blocked,” the post stated, according to a translation of the Russian-language post published Friday by security firm Intel471. “The hosting support service doesn’t provide any information except ‘at the request of law enforcement authorities.’ In addition, a couple of hours after the seizure, funds from the payment server (belonging to us and our clients) were withdrawn to an unknown account.”

The post went on to claim that Darkside would distribute a decryptor free of charge to all victims who have yet to pay a ransom. So far, there are no reports of the group delivering on that promise.

If true, the seizures would represent a big coup for law enforcement. According to newly released figures from cryptocurrency tracking firm Chainalysis, Darkside netted at least $60 million in its first seven months, with $46 million of it coming in the first three months of this year.

Identifying a Tor hidden service would also be a huge score, since it likely would mean that either the group made a major configuration error in setting the service up or law enforcement knows of a serious vulnerability in the way the dark web works. (Intel471 analysts say that some of Darkside’s infrastructure is public-facing—meaning the regular Internet—so malware can connect to it.)

But so far, there’s no evidence to publicly corroborate these extraordinary claims. Typically, when law enforcement from the US and Western European countries seize a website, they post a notice on the site’s front page that discloses the seizure. Below is an example of what people saw after trying to visit the site for the Netwalker group after the site was taken down:

netwalker notice

So far, none of the Darkside sites display such a notice. Instead, most of them time out or show blank screens.

What’s even more doubtful is the claim that the group’s considerable cryptocurrency holdings have been taken. People who are experienced in using digital currency know not to store it in “hot wallets,” which are digital vaults connected to the Internet. Because hot wallets contain the private keys needed to transfer funds to new accounts, they’re vulnerable to hacks and the types of seizures claimed in the post.

For law enforcement to confiscate the digital currency, Darkside operators likely would have had to store it in a hot wallet, and the currency exchange used by Darkside would have had to cooperate with the law enforcement agency or been hacked.

It’s also feasible that close tracking by an organization like Chainalysis identified wallets that received funds from Darkside, and law enforcement subsequently confiscated the holdings. Indeed, Elliptic, a separate blockchain analytics company, reported finding a Bitcoin wallet used by DarkSide to receive payments from its victims. On Thursday, Elliptic reported, it was emptied of $5 million.

At the moment, it’s not known if that transfer was initiated by the FBI or another law enforcement group, or by Darkside itself. Either way, Elliptic said the wallet—which since early March had received 57 payments from 21 different wallets—provided important clues for investigators to follow.

“What we find is that 18% of the Bitcoin was sent to a small group of exchanges,” Elliptic Co-founder and Chief Scientist Tom Robinson wrote. “This information will provide law enforcement with critical leads to identify the perpetrators of these attacks.”

Nonsense, hype, and noise

Darkside’s post came as a prominent criminal underground forum called XSS announced that it was banning all ransomware activities, a major about-face from the past. The site was previously a significant resource for the ransomware groups REvil, Babuk, Darkside, LockBit, and Nefilim to recruit affiliates, who use the malware to infect victims and in exchange share a cut of the revenue generated. A few hours later, all Darkside posts made to XSS had come down.

In a Friday morning post, security firm Flashpoint wrote:

According to the administrator of XSS, the decision is partially based on ideological differences between the forum and ransomware operators. Furthermore, the media attention from high-profile incidents has resulted in a “critical mass of nonsense, hype, and noise.” The XSS statement offers some reasons for its decision, particularly that ransomware collectives and their accompanying attacks are generating “too much PR” and heightening the geopolitical and law enforcement risks to a “hazard[ous] level.”

The admin of XSS also claimed that when “Peskov [the Press Secretary for the President of Russia, Vladimir Putin] is forced to make excuses in front of our overseas ‘friends’—this is a bit too much.” They hyperlinked an article on the Russian News website Kommersant entitled “Russia has nothing to do with hacking attacks on a pipeline in the United States” as the basis for these claims.

Within hours, two other underground forums—Exploit and Raid Forums—had also banned ransomware-related posts, according to images circulating on Twitter.

REvil, meanwhile, said it was banning the use of its software against health care, educational, and governmental organizations, The Record reported.

Ransomware at a crossroads

The moves by XSS and REvil pose a major short-term disruption of the ransomware ecosystem since they remove a key recruiting tool and source of revenue. Long-term effects are less clear.

“In the long run, it’s hard to believe the ransomware ecosystem will completely fade out, given that operators are financially motivated and the schemes employed have been effective,” Intel471 analysts said in an email. They said it was more likely that ransomware groups will “go private,” meaning they will no longer publicly recruit affiliates on public forums, or will unwind their current operations and rebrand under a new name.

Ransomware groups could also alter their current practice of encrypting data so it’s unusable by the victim while also downloading the data and threatening to make it public. This double-extortion method aims to increase the pressure on victims to pay. The Babuk ransomware group recently started phasing out its use of malware that encrypts data while maintaining its blog that names and shames victims and publishes their data.

“This approach allows the ransomware operators to reap the benefits of a blackmail extortion event without having to deal with the public fallout of disrupting the business continuity of a hospital or critical infrastructure,” the Intel471 analysts wrote in the email.

For now, the only evidence that Darkside’s infrastructure and cryptocurrency have been seized is the words of admitted criminals, hardly enough to consider confirmation.

“I could be wrong, but I suspect this is simply an exit scam,” Brett Callow, a threat analyst with security firm Emsisoft told Ars. “Darkside get to sail off into the sunset—or, more likely rebrand—without needing to share the ill-gotten gains with their partners in crime.”

Continue Reading