Ransomware Gangs Are Teaming Up to Form Cartel-Style Structures
The latest moves from ransomware groups suggest that gangs are forging alliances to create a mafia-style structure.
Recent ransomware attacks from well-known cybercriminal groups have been suggesting that gangs are forging cartel-style alliances to pressure their respective victims to pay the ransom requests.
Cointelegraph has obtained access to what seems to be a darknet site that belongs to the Maze group. On the site, Maze has been leaking stolen data beginning sometime after Sunday.
The central feature to highlight is that the gang notes that Ragnar Locker, another ransomware group, provided the info, as the title of the blog post says: “MAZE CARTEL Provided by Ragnar.” Some of the victims listed are United States-based companies.
Speaking with Cointelegraph, Brett Callow, a threat analyst at malware lab Emsisoft, stated that Ragnar Locker’s leak site is currently offline, suggesting that it might have pulled the site permanently and plans to distribute all future leaks via Maze. Still, he clarified that this is not confirmed yet.
Leaking data becoming a pattern in Maze’s ransomware attacks
Maze has been leaking stolen data from ransomware attacks against companies in different industries through the group’s darknet website when the victims refuse to pay the ransom.
Cyber intelligence company Kela revealed that at some point in the first week of June, Maze operators added another bunch of data stolen — but from another ransomware gang known as LockBit.
Future alliances coming up soon?
In statements sent to BleepingComputer on June 3, the Maze group said the following:
“In a few days another group will emerge on our news website, we all see in this cooperation the way leading to mutual beneficial outcome, for both actor groups and companies.”
The average ransom payments requested by the groups exceed $100,000 per incident, often in Bitcoin (BTC) and Monero (XMR). In some reports, victims are said to have paid up to “millions” of dollars.
Callow commented on the Ragnar Locker stolen data made available on Maze’s site:
“Ragnar Locker are likely banking on the Maze group’s name recognition to further pressure companies into meeting their demands. While this is only the second such collaboration that we’re aware of, it’s likely that other groups will join the cartel if they believe it is in their financial interests to do so.”
Recent Maze’s attacks
The Maze ransomware group has made a number of headlines due to its recent attacks.
Cointelegraph reported on May 6 that the gang infected two U.S.-based plastic surgery studios with ransomware. It subsequently leaked patients’ Social Security numbers and other sensitive information onto the internet.
Maze recently claimed to have hacked a major egg producer, Sparboe.