The world’s top ransomware gangs have created a cybercrime “cartel”

Ransomware continues to be a problem and now some of the most lethal ransomware developers are combining forces to improve infection rates and make more money. CBS news posted about this found HERE. Here is that article. You can also view a video on this report at

Several of the largest Russian ransomware cybercriminal gangs have partnered up and are sharing hacking techniques, purloined data-breach information, malware code and technology infrastructure.

The most active collaborators are four groups known as Wizard Spider, Twisted Spider, Viking Spider and LockBit. The gangs in this clusterjointly control access to illicit data leak sites and custom ransomware code. They also associate with the larger criminal ransomware ecosystem, exert influence over smaller gangs and license their tools to affiliates, said Jon DiMaggio, chief security strategist at Analyst1. The groups do not appear to share profits from criminal activity.

“They’re not a cartel in the traditional sense, like oil companies that have a lock on the supply of crude,” DiMaggio explained. “But they do have technology infrastructure, and some are big enough to have their own [ransomware] code. These are limited resources.”

Ransomware groups Wizard Spider, Twisted Spider, Viking Spider and LockBit are collaborating with each other.  Jon DiMaggio

The groups Viking Spider and LockBit upload stolen information to a data breach site hosted and controlled by Twisted Spider, according to DiMaggio’s research. This information is used for phishing attacks that deliver ransomware and posted to criminal name-and-shame sites that are used to embarrass and coerce victims. The gangs also horde shared hacking tools and software exploits known as zero-day vulnerabilities. Twisted Spider also operates a command-and-control server that hosts malware and hacking tools used by other gangs including Viking Spider, LockBit and a now-defunct group called the Suncrypt Gang.

Cybercriminal gangs often try to cultivate unique personas, and are known for using customized strains of ransomware. The gangs REvil and Twisted Spider are associated with Maze and Egregorransomware, respectively.Wizard Spider is linked to Ryuk and Conti.

New clusters are more powerful, sophisticated

Hacking groups frequently collaborate, break up, shut down, rebrand and regroup. Several groups in the so-called cartel cluster announced a collaboration in July 2020, then disbanded in November. The new cluster of gangs is potentially more powerful, DiMaggio said, because of its links to other threat actors in the cybercriminal ecosystem. For instance, his research connects the new group with three additional gangs, including EvilCorp, a veteran hacking group led by Maksim Yakubets that targeted remote workers during the pandemic. 

DiMaggio’s research also connects the new ransomware collaborators with SilverFish, a hacking group many cybersecurity researchers believe is actually FSB or SVR, theRussian intelligence groups behind the Solar Winds cyberattacks

Some ransomware gangs are so sophisticated they have a mediation process to address disputes, according to DiMaggio and hackers familiar with the process. For example, REvil deposited one million dollars into a fund hosted on a cybercriminal forum to guarantee affiliate payments, in the hopes of attracting top-quality hackers. When the DarkSide ransomwaregangsuddenly ceased operations, some of its affiliates were not paid. Money from the criminal forum was used to pay those affiliates, causing a dispute which was resolved using internal communication tools. 

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.