Several of the largest Russian ransomware cybercriminal gangs have partnered up and are sharing hacking techniques, purloined data-breach information, malware code, and technology infrastructure.
The most active collaborators are four groups known as Wizard Spider, Twisted Spider, Viking Spider, and LockBit. The gangs in this cluster jointly control access to illicit data leak sites and custom ransomware code. They also associate with the larger criminal ransomware ecosystem, exert influence over smaller gangs and license their tools to affiliates, said Jon DiMaggio, chief security strategist at Analyst1. The groups do not appear to share profits from criminal activity.
“They’re not a cartel in the traditional sense, like oil companies that have a lock on the supply of crude,” DiMaggio explained. “But they do have technology infrastructure, and some are big enough to have their own [ransomware] code. These are limited resources.”
Ransomware groups Wizard Spider, Twisted Spider, Viking Spider, and LockBit are collaborating with each other.
The groups Viking Spider and LockBit upload stolen information to a data breach site hosted and controlled by Twisted Spider, according to DiMaggio’s research. This information is used for phishing attacks that deliver ransomware and are posted to criminal name-and-shame sites that are used to embarrass and coerce victims. The gangs also horde shared hacking tools and software exploits known as zero-day vulnerabilities. Twisted Spider also operates a command-and-control server that hosts malware and hacking tools used by other gangs including Viking Spider, LockBit and a now-defunct group called the Suncrypt Gang.
Cybercriminal gangs often try to cultivate unique personas and are known for using customized strains of ransomware. The gangs Ravil and Twisted Spider have been associated with Maze and Egregor ransomware, respectively. Wizard Spider is linked to Ryuk and Conti.
Hacking groups frequently collaborate, break up, shut down, rebrand, and regroup. Several groups in the so-called cartel cluster announced a collaboration in July 2020, then disbanded in November. The new cluster of gangs is potentially more powerful, DiMaggio said, because of its links to other threat actors in the cybercriminal ecosystem. For instance, his research connects the new group with three additional gangs, including EvilCorp, a veteran hacking group led by Maksim Yakubets that targeted remote workers during the pandemic.
DiMaggio’s research also connects the new ransomware collaborators with SilverFish, a hacking group many cybersecurity researchers believe is actually FSB or SVR, the Russian intelligence group behind the Solar Winds cyberattacks.
What’s behind the push for a fourth stimulus check
The sun rises through a cover of wildfire smoke above the CN Tower and downtown skyline in Toronto
Western wildfires spreading smoke to Canada and New York
Children coping with “pandemic grief” after losing a parent
Tokyo in run-up to 2020 Summer Olympic Games
Olympic opening ceremony creative director fired over Holocaust joke
Some ransomware gangs are so sophisticated they have a mediation process to address disputes, according to DiMaggio and hackers familiar with the process. For example, Ravil deposited one million dollars into a fund hosted on a cybercriminal forum to guarantee affiliate payments, in the hopes of attracting top-quality hackers. When the DarkSide ransomware gang suddenly ceased operations, some of its affiliates were not paid. Money from the criminal forum was used to pay those affiliates, causing a dispute which was resolved using internal communication tools.
These tools, said DiMaggio, is part of what makes the groups so successful. “They can resolve inevitable money disputes quickly, then get back to work,” he said.
The ransomware partnership is part of the large and growing ransomware-as-a-service industry. Much like software-as-a-service, a booming industry that sells subscriptions to software rather than downloads, ransomware-as-a-service allows anyone to pay a fee to license the technology and skills of a hacker. Groups like Ravil and DarkSide, allegedly responsible for some of the biggest ransomware hacks in history, offering friendly customer service and IT support to victims.
Ransomware code is relatively easy to customize. A large market of vulnerable computers combined with the pseudo-anonymity of cryptocurrency has created an environment ripe for criminal exploitation, said DiMaggio.
This new cartel poses fresh challenges, said DiMaggio. He worries that “a mega-group cartel” would be far more dangerous than previous groups because it would have more structure. He added, “with coordination and organization, their ransomware strains can be more dangerous than anyone individual cyberweapon.”