According to recent research, an alleged cartel of four gangs has been distributing and posting victim data across leak websites belonging to other gangs working together. The four affiliated ransomware gangs suspected to be working within the cartel include Wizard Spider, Viking Spider, Twisted Spider, and LockBit.

What was discovered?

The whitepaper Ransom Mafia – Analysis of the World’s First Ransomware Cartel contains an analytical assessment, providing several pointers indicating the existence of this ransomware cartel.
  • Multiple gangs are coordinating via cartel leak websites, such as sharing tactics and C2 infrastructure.
  • The report mentioned that one ransomware gang stole data from a victim and then passed it to another gang to post publicly.
  • Multiple gangs added automated capabilities into their ransom payloads to spread and infect their victims without human interaction.
  • Altogether, the gangs in the cartel made hundreds of millions of dollars from ransomware and extortion operations.

Linking the gangs

Analyst1 has discovered two strong connections between affiliated groups named in its report that show how they work together as something like a cartel.
  • Shared data leak sites: Twisted Spider posted victim data collected by LockBit and Viking Spider.
  • Shared infrastructure: SunCrypt used IP addresses and C2 infrastructure of Twisted Spider to deliver its ransomware payload. In addition, the ChaCha20 stream cipher used in SunCrypt ransomware is derived from Twisted Spider’s Maze and Egregor ransomware.

The twist in the story

In November 2020, Twisted Spider made an announcement that it was shutting down its operation and claimed that the cartel never existed.
  • Furthermore, the above coalition of ransomware attackers missed an essential element—profit sharing—that is required in a partnership to qualify as a cartel.
  • When researchers followed the money trail by tracking the associated crypto accounts, no evidence was found regarding profit-sharing among the gangs in the cartel.
  • These factors indicated that no cartel actually existed and the groups were just collaborating on jobs.

Double twist

Some researchers suspected that continuous attention from law enforcement and government entities had forced Twisted Spider to make a false statement about its retirement. They believe that the gangs continue to operate together, however, they are avoiding public display of their collaboration.


Researchers are still not able to conclude if this was an actual cartel. Nevertheless, the collaboration between multiple ransomware gangs is very dangerous due to shared financial resources and attack infrastructure.

Cyware Publisher