The unofficial judicial system is intended to provide accountability for criminals who believe they were swindled, said Jon DiMaggio, chief security strategist with cybersecurity firm Analyst1 and author of the research.

The court meets primarily on Russian-speaking online forums on the dark web, the encrypted networks that are inaccessible from conventional search engines like Google. Cases, visible only to trusted entities on sites that resemble the online message board Reddit, generally last a week.

A typical case involves a ransomware cartel that is accused of shafting a hacker by failing to pay for services or by selling access to a target company’s online infrastructure that wasn’t as vulnerable as claimed. An anonymous forum moderator acts as a judge who hears the complaint, requests evidence like chat logs and payment information, and then issues a ruling. In some cases, they may involve awarding damages, which are generally transferred through the forum’s payment system.

“So these things are pretty quickly—open and closed,” DiMaggio said. “Within a week, you’ll usually see the entire process done.”

Large damages—up to $1 million—are sometimes requested, but they are rarely awarded in full, DiMaggio said. Payouts average under $20,000. On one particular forum, he’s noticed three to six ransomware-related cases monthly.

Ransomware and other hacking groups fund online justice forums to appear more trustworthy to their criminal partners, noted DiMaggio. Hackers may also be convinced that a particular ransomware cartel is more trustworthy if they see it pay damages through the court system.

“When they want hackers for hire, they want the best ones to work for them, and there’s a lot of competition in ransomware,” DiMaggio said.

In recent months, as law enforcement increasingly publicizes ransomware attacks, DiMaggio said that online justice forums are telling parties not to use the word “ransomware” when bringing and discussing their cases. It makes it more difficult for law enforcement to find the cases online.

Although the ransomware courts are relatively new, most of them meet in Russian hacking forums that have existed for years. Similar courts do not seem to exist in other countries like China and Iran, which have much smaller ransomware communities.

And while there’s not much companies can do to stop ransomware courts, businesses should know they exist. Just like in a real legal case, compromising information about companies could emerge online during the dark court’s “discovery” process.

“There’s evidence that you may also not want exposed,” DiMaggio said. “You may not want everybody knowing what you actually negotiated and paid.”