Four ransomware gangs working together in what they call a “cartel” is more of a dangerous partnership, according to a Virginia-based threat intelligence firm.
In a report released Wednesday, Analyst1 noted that while each gang — dubbed Twisted Spider, Viking Spider, Wizard Spiker and Lockbit — claim they’re in a cartel, they don’t share profits.
They can more accurately be described as “a collective of criminal gangs who, at times, work together in ransom operations,” the report noted, adding this actually makes them “far more dangerous” than if they were operating independently because they still share tactics and resources.
As possible proof of the partnership’s strength, the report notes that the criminal cartel says it emerged in June 2020 by someone claiming to represent Twisted Spider. Five months later, Twisted Spider announced they were shutting down their operations and claimed the cartel never existed. In February of this year, a multinational law enforcement task force arrested several Ukrainian men for supporting Twisted Spider.
“Unfortunately, the arrests in February had little impact; Twisted Spider continued their operations several weeks later,” the report said. “We believe the gangs created the cartel facade to appear larger, stronger, more powerful to further intimidate victims into paying ransom demands.
“The illusion and public claims made about the cartel achieved the desired effect; however, it also brought global attention from law enforcement and government entities. We believe this prompted Twisted Spider to lie about retiring, and this explains why they attempted to retract their cartel affiliation. For the same reasons, Twisted Spider stopped communicating publicly, and they no longer use social media or press releases to voice their demands.”
More generally, the report argues ransomware gangs will focus development efforts to automate attacks.
“The new capabilities gangs are introducing into their ransomware demonstrate that automation is essential. Analyst1 believes this trend will continue making ransomware operations more efficient and dangerous. As automation capabilities increase, the use of affiliate hackers will decrease,” the report indicated. “This means ransomware gangs do not have to share profits with affiliates, thus increasing the revenue derived from each attack. With the decrease in the timeframe, it takes to execute each attack.
The result, researchers predict, is that the overall volume of ransomware attacks will grow, raising the number of victims extorted.
As evidence of their partnership, the report says that after compromising organizations and stealing data, the information is sometimes passed on to Twisted Spider, which posts the victim’s data on its website and attempts to negotiate a ransom. Researchers have also seen evidence that an alleged member of the partnership used the same IP addresses for command-and-control that Twisted Spider used at a different time.
Also, all gangs ensure their payloads don’t execute on Russian victims. They originate in Eastern European countries and, according to posts on criminal websites, primarily speak Russian.
Yet, the four gangs have their differences. For example, Wizard Spider has developed unique malware geared towards espionage, although Analyst1 could not verify its use in attacks.
The four also buy or contract the use of different ransomware strains. Twisted Spider started using Maze and then switched to Egregor. Viking Spider uses Ragnar Locker. Wizard Spider, called the most experienced, now uses Ryuk and Conti ransomware after starting with Gogalocker and MegaCortex. Lockbit uses its own ransomware.
A gang called SunCrypt claimed to be part of the co-operative, which Twisted Spider denied. It has since disbanded.