The latest moves from ransomware groups suggest that gangs are forging alliances to create a mafia-style structure.
Recent ransomware attacks from well-known cybercriminal groups have been suggesting that gangs are forging cartel-style alliances to pressure their respective victims to pay for the ransom requests.
Cointelegraph has obtained access to what seems to be a darknet site that belongs to the Maze group. On the site, Maze has been leaking stolen data beginning sometime after June 7.
The central feature to highlight is that the gang notes that Ragnar Locker another ransomware group, provided the info, as the title of the blog post says: “MAZE CARTEL Provided by Ragnar.” Some of the victims listed are US-based companies.
Speaking with Cointelegraph, Brett Callow, threat analyst at malware lab Emsisoft, Ragnar Locker’s leak site is currently offline, suggesting that they might have pulled the site permanently and plan to distribute all future leaks via Maze. Still, he clarifies that this is not confirmed yet.
Leaking data becoming a pattern in Maze’s ransomware attacks
Maze has been leaking stolen data from ransomware attacks against companies in different industries through the group’s darknet website when the victims refuse to pay for the ransom.
Cyber intelligence company KeLa revealed that at some point in the first week of June, Maze operators added another bunch of data stolen but from another ransomware gang known as LockBit.
Future alliances coming up soon?
In statements sent to BleepingComputer on June 3, Maze group said the following:
“In a few days another group will emerge on our news website, we all see in this cooperation the way leading to mutual beneficial outcome, for both actor groups and companies.”
The average ransom payments requested by the groups exceed $100,000 per incident, often in Bitcoin (BTC) and Monero (XMR). In some reports where victims are said to have paid up to “millions” of dollars.
Callow commented on the Ragnar Locker’s stolen data made available on Maze’s site:
“Ragnar Locker are likely banking on the Maze group’s name recognition to further pressure companies into meeting their demands. While this is only the second such collaboration that we’re aware of, it’s likely that other groups will join the cartel if they believe it is in their financial interests to do so.”
Recent Maze’s attacks
Maze ransomware group has made a number of headlines due to its recent attacks.
Cointelegraph reported on May 6 that the gang infected two US-based plastic surgery studios with ransomware. They subsequently leaked patient’s social security numbers and other sensitive information onto the internet.
Maze recently claimed to have hacked a major egg producer, Sparboe.