Several of the largest Russian ransomware cybercriminal gangs have partnered up and are sharing hacking techniques, purloined data-breach information, malware code and technology infrastructure.
The most active collaborators are four groups known as Wizard Spider, Twisted Spider, Viking Spider and LockBit. The gangs in this cluster jointly control access to illicit data leak sites and custom ransomware code. They also associate with the larger criminal ransomware ecosystem, exert influence over smaller gangs and license their tools to affiliates, said Jon DiMaggio, chief security strategist at Analyst1. The groups do not appear to share profits from criminal activity.
"They're not a cartel in the traditional sense, like oil companies that have a lock on the supply of crude," DiMaggio explained. "But they do have technology infrastructure, and some are big enough to have their own [ransomware] code. These are limited resources."
The groups Viking Spider and LockBit upload stolen information to a data breach site hosted and controlled by Twisted Spider, according to DiMaggio's research. This information is used for phishing attacks that deliver ransomware and posted to criminal name-and-shame sites that are used to embarrass and coerce victims. The gangs also horde shared hacking tools and software exploits known as zero-day vulnerabilities. Twisted Spider also operates a command-and-control server that hosts malware and hacking tools used by other gangs including Viking Spider, LockBit and a now-defunct group called the Suncrypt Gang.
Cybercriminal gangs often try to cultivate unique personas, and are known for using customized strains of ransomware. The gangs REvil and Twisted Spider are associated with Maze and Egregor ransomware, respectively. Wizard Spider is linked to Ryuk and Conti.
New clusters are more powerful, sophisticated
Hacking groups frequently collaborate, break up, shut down, rebrand and regroup. Several groups in the so-called cartel cluster announced a collaboration in July 2020, then disbanded in November. The new cluster of gangs is potentially more powerful, DiMaggio said, because of its links to other threat actors in the cybercriminal ecosystem. For instance, his research connects the new group with three additional gangs, including EvilCorp, a veteran hacking group led by Maksim Yakubets that targeted remote workers during the pandemic.
DiMaggio's research also connects the new ransomware collaborators with SilverFish, a hacking group many cybersecurity researchers believe is actually FSB or SVR, the Russian intelligence groups behind the .
Some ransomware gangs are so sophisticated they have a mediation process to address disputes, according to DiMaggio and hackers familiar with the process. For example, REvil deposited one million dollars into a fund hosted on a cybercriminal forum to guarantee affiliate payments, in the hopes of attracting top-quality hackers. When the DarkSide ransomware gang suddenly ceased operations, some of its affiliates were not paid. Money from the criminal forum was used to pay those affiliates, causing a dispute which was resolved using internal communication tools.
These tools, said DiMaggio, are part of what make the groups so successful. "They can resolve inevitable money disputes quickly, then get back to work," he said.
Booming cybercrime industry
The ransomware partnership is part of the large and growing booming industry that sells subscriptions to software rather than downloads, ransomware-as-a-service allows anyone to pay a fee to license the technology and skills of a hacker. Groups like REvil and , allegedly responsible for some of the , offered friendly customer service and IT support to victims.. Much like software-as-a-service, a
Ransomware code is relatively easy to customize. A large market of vulnerable computers combined with the pseudo-anonymity of cryptocurrency has created an environment ripe for criminal exploitation, said DiMaggio.
This new cartel poses fresh challenges, said DiMaggio. He worries that "a mega-group cartel" would be far more dangerous than previous groups because it would have more structure. He added, "with coordination and organization, their ransomware strains can be more dangerous than any one individual cyberweapon."