In a new twist, security researchers at Analyst1 have identified four Russian ransomware gangs that actively work together to coordinate attacks, data leaks, and more.
It’s bad enough when there’s one threat actor attacking your organization. But when it’s four cybercriminal gangs working together to share best practices, code, infrastructure, techniques, and more, it spells doom for their victims. New research from threat intelligence vendor Analyst1 combines months of research, analysis, tracking, cross-referencing, and more of ransomware gang activity, bringing to light a new ransomware cartel.
According to Analyst1, four ransomware gangs in specific are part of this new cartel:
- Twisted Spider (who use Maze and Egregor)
- Viking Spider (Ragnar Locker)
- Wizard Spider (Ryuk and Conti)
- The Lockbit Gang (Lockbit)
Some of the notable ties between these gangs, demonstrating the cartel-like interactions include:
- Sharing of victim data & leak sites – in some cases, one gang steals the data and then uses another gang to perform the extortion and publishing
- Sharing of infrastructure – multiple gangs have used identical IP addresses for C2 servers
- Adopting each other’s tactics – an example is them all adopting the use of virtual machines in the victim environment (something originally mastered by Viking Spider)
- They all have claimed affiliation to the cartel
This cartel demonstrates what’s coming next; more sharing between gangs and I would assume some sort of “anti-threat intelligence” about security solutions.
The only light at the end of the tunnel is the need by these gangs to have your users interact and engage with phishing emails – something a solid education using Security Awareness Training will counteract and, therefore, stop attacks before they can do damage.