It was in November 2020 that the notorious Maze ransomware took retirement from its data-stealing operations after bagging millions of ransom for its operators. Though active for a span of around a year, between 2019 and 2020, the ransomware gang became a pioneer of various activities that led to the emergence of the ransomware 2.0 landscape. Some of the never-seen-before strategies included the double-extortion scheme and the formation of a ransomware cartel.

Although the ransomware has shut down its operation, researchers have dug out some eye-opening details of the cartel. For the uninitiated, the cartel was first proposed by Twisted Spider (the creator of Maze ransomware) with an intention to share tactics and tips and publish data stolen by other groups.

What was the cartel about?

According to a detailed study from Analyst1, four cybercriminal groups - Twisted Spider, Viking Spider (the creator of Ragnar Locker ransomware), Wizard Spider (the creator of Conti and Ryuk ransomware), and the Lockbit gang (the creator of Lockbit ransomware) had come together to form a cartel during May 2020.
  • Initially, the SunCrypt ransomware gang was also a part of the collaborated team. However, soon after its retirement, the cartel was only limited to four groups.  
  • It was found that the groups rarely collaborated with each other, following which there was hardly any evidence showing that the members shared their profits.
  • Yet the groups only appeared distributing/posting victim data across leak websites belonging to other gangs within the cartel.  
  • Due to the above-mentioned factors, researchers claimed that the ransomware cartel failed to fully capitalize on the concept of joining forces.
  • The only motive behind the formation of the cartel was to appear larger, stronger, and more powerful to further intimidate victims into paying ransom demands. 

Undoubtedly, the rise in extortion incidents in the last year stands the fact that the cartel has achieved the desired output. But, what the road forward looks like for ransomware groups? Experts lay down additional insights.

To be noted

  • The report warns that the ransomware gangs are putting efforts toward improving tools to automate their attacks. Adding automated capabilities to ransom payloads can allow attackers to spread and infect victims without human interaction. 
  • Moreover, ransom demands will continue to increase. Overall, gangs in the cartel have generated hundreds of millions of dollars from ransomware and data extortion operations. 

What is Twisted Spider up to now?

  • Despite the failure to lead the cartel, the Twisted Spider gang continues to be active in the threat landscape with its another creation called Egregor ransomware.    
  • It has been using the Egregor ransomware since its inception in September 2020. The gang has created two different online personas, one each for Maze ransomware and the other for Egregor ransomware.

What to infer from this?

Ransomware groups are becoming more sophisticated. It is likely that the gangs can form another cartel relationship again. If gangs realize the benefits of an organized structure hierarchy that shares resources and finances, they could become even more dangerous. This would result in more ransomware attacks, which will increase the number of victims extorted.

Cyware Publisher