The adage “Apes Together Strong,” denotes apes working together for a common goal that would eventually benefit them. Similarly, several cybercriminal groups join hands to make their hacking attempts more intense and successful. Most of the threat actor groups have a presence in underground marketplaces where they share details related to malicious tools, malware samples, and hacking targets. We often encounter news about various ransomware campaigns globally, but what most of us do not know is that they are often interrelated.
A recent analysis by threat intelligence firm Analyst1, called “Ransom Mafia – Analysis of the World’s First Ransomware Cartel,” revealed that cybercriminal groups behind certain ransomware campaigns often maintain a relationship with each other to form a cartel in the underground hacking world.
A ransomware cartel is a gathering of several cybercriminal gangs who collaborate in ransom operations by sharing resources, tactics, and profits. Analyst1 researchers analyzed the attackers’ Bitcoin wallets and their associated transactions to find out the money trail from victims to the threat actor gang and from the gang to their other partners in the cartel. A ransomware cartel is often formed to expand its reach and revenue.
The Origin of Ransomware Cartel
Researchers found that threat actor group Twisted Spider began a cartel in November 2020, after announcing the shutdown of its Maze ransomware operations. While the retirement claim was false and misleading, the Twisted Spider gang formed a ransomware cartel with Wizard Spider, Viking Spider, Lockbit, and SunCrypt gangs.
“The first tie we found provided evidence that the groups are working together and sharing resources to extort victims. Several gangs compromised and stole victim data, which they passed on to Twisted Spider. Twisted Spider then posted the victim’s data and attempted to negotiate a ransom on their data leak site. This type of collaboration and sharing would not occur unless all three criminal elements had a trusted relationship with one another,” Analyst1 said.
- The cartel-affiliated gangs distributing/posting victim data across leak websites belonged to other gangs within the cartel. In other words, one gang breached and stole data from a victim and passed it to another gang to post publicly and negotiate with the victim.
- Multiple gangs within the cartel coordinate via Cartel leak websites, including sharing tactics, command and control infrastructure, and sharing/posting victim data.
- Attackers are moving towards automating their attacks. Multiple gangs have added automated capabilities into their ransom payloads, allowing them to spread and infect their victims without human interaction.
- Ransom demands continue to increase. Collectively, gangs in the cartel generated hundreds of millions of dollars from ransomware and data extortion operations.
- Several cartel gangs offer Ransomware as a Service (RaaS), hiring hackers to execute attacks while providing them with malware, infrastructure, and ransom negotiation services.
- Attackers are conducting PR interviews with reporters, issuing press releases, and leveraging social media ads and call centers to harass and pressure victims into paying.
- Attackers are reinvesting profits made from ransom operations to advance both tactics and malware to increase their success and revenue. Malware is updated regularly, adding new sophisticated features.
- Wizard Spider developed unique malware geared towards espionage. Analyst1 could not validate how Wizard Spider uses it in attacks. Its existence alone is troubling. We found no other gang in the cartel that uses or develops espionage malware.
The Cartel Continues
Ransomware groups deliberately announce that they are shutting down their operations, however, end up making their cartel affiliations to come back stronger and larger.
“Analyst1 believes these ransomware gangs will continue to work with one another. The working relationship, however, will likely continue to be done behind the scenes and not on a public level. Groups will continue to share tactics and resources, making them far more dangerous than if they were operating independently. Both ransomware and malware used to gain initial compromise will increase in their levels of sophistication and capability,” Analyst1 added.