Several of the largest Russian ransomware cybercriminal gangs have teamed up and shared hacking techniques, information about stolen data breaches, malware code, and technological infrastructure.
The most active contributors are four groups known as Wizard Spider, Twisted Spider, Viking Spider and LockBit. The gangs of this cluster jointly control access to illicit data breach sites and custom ransomware code. They also partner with the larger criminal ransomware ecosystem, influence smaller gangs and license their tools to affiliates, said Jon DiMaggio, chief security strategist at Analyst1. Groups do not appear to share in the benefits of criminal activity.
“They are not a cartel in the traditional sense of the word, like the oil companies which have a lock on the supply of crude,” said DiMaggio. “But they have a technological infrastructure, and some are big enough to have their own [ransomware] coded. These are finite resources. “
The Viking Spider and LockBit groups are uploading stolen information to a data breach site hosted and controlled by Twisted Spider, according to DiMaggio research. This information is used for phishing attacks which deliver ransomware and is posted on criminal websites which are used to embarrass and coerce victims. Gangs have also shared hacking tools and software exploits known as zero-day vulnerabilities. Twisted Spider also operates a command and control server that hosts malware and hacking tools used by other gangs, including Viking Spider, LockBit, and a now defunct group called the Suncrypt Gang.
Cybercriminal gangs often try to cultivate unique personalities and are known to use personalized strains of ransomware. The REvil and Twisted Spider gangs are associated with Maze and Egregor ransomware, respectively. Wizard Spider is linked to Ryuk and Conti.
Hacking groups frequently collaborate, split up, shut down, rebrand and regroup. Several groups of the so-called cartel cluster announced a collaboration in July 2020, then dissolved in November. The new gang group is potentially more powerful, DiMaggio said, due to its connections to other threat actors in the cybercrime ecosystem. For example, his research links the new group to three more gangs, including EvilCorp, a veteran hacking group led by Maksim Yakubets that targeted remote workers during the pandemic..
DiMaggio’s research also links the ransomware’s new contributors to SilverFish, a hacking group that many cybersecurity researchers believe to be in fact FSB or SVR, the Russian intelligence groups behind the.
Some ransomware gangs are so sophisticated that they have a mediation process to resolve disputes, according to DiMaggio and hackers familiar with the process. For example, REvil deposited $ 1 million into a fund hosted at a cybercriminal forum to secure affiliate payments, in hopes of luring top-tier hackers. When the DarkSide ransomware gang suddenly ceased operations, some of its affiliates were not paid. Money from the criminal forum was used to pay these affiliates, causing a dispute which was resolved using internal communication tools.
These tools, DiMaggio said, are part of what makes groups successful. “They can resolve the inevitable financial disputes quickly and then get back to work,” he said.
CLICK TO ENLARGE
The ransomware partnership is part of the vast and growing. Much like software as a service, a booming industry that sells software subscriptions rather than downloads, ransomware as a service allows anyone to pay a fee to license technology and skills. ‘a hacker. Groups like REvil and , allegedly responsible for some of the , offered friendly customer service and computer support to victims.
Ransomware code is relatively easy to customize. A large market for vulnerable computers combined with the pseudo-anonymity of cryptocurrency has created an environment for criminal exploitation, DiMaggio said.
This new cartel poses new challenges, said DiMaggio. He fears that a “mega-group cartel” is much more dangerous than the previous groups because it would have more structure. He added, “with coordination and organization, their ransomware strains can be more dangerous than any personal cyber weapon. “