How the Ransomware Gangs Stay One Step Ahead

Editor's Note: Unlock the knowledge, resources and expert guidance you need to successfully prevent ransomware attacks from impacting your organization’s operations with this complimentary Ransomware Toolkit... 

Ransomware attacks increased dramatically in the first half of 2021. As reported by ITProPortal, the volume of global ransomware hit 304.7 million during that six-month period. That’s 0.1 million more ransomware attacks than the entire total in 2020.

During that period, many malicious actors upped their efforts to target government entities, with a 917% increase in ransomware attacks targeting that sector. This was followed by increases in attacks targeting education (615%), healthcare (594%), and retail (264%).

What’s Behind this Rise in Ransomware Attacks?

Understanding the many factors that contributed to this rise is beyond the scope of this article. Instead, let’s focus on the following cause: ransomware actors are vying to stay ahead of defenders by learning from one another and pooling resources.

Take the LockBit gang’s involvement in the Maze ransomware cartel as an example. Back in June 2020, Bleeping Computer learned that Maze’s operators had added the information for an architectural firm to their extortion website. This leak was different in that the LockBit gang was responsible for having targeted the firm and stolen its data. Later, the Maze gang clarified that they were working with LockBit as a “partner” to share their infrastructure and their experience.

Prior to joining up with the Maze operation, those responsible for LockBit had maintained their own data leaks website. The portal shut down around the time that LockBit became a part of the Maze cartel. Several months into that partnership, the LockBit group posted a link to a new data leaks site on a Russian-speaking digital crime forum. At the time, the site listed the information of an automation parts manufacturer and a shipping company, reported Bleeping Computer.

It was in November 2020 when the Maze ransomware group announced that they had ceased operations and that they would no longer be leaking victims’ data. In an announcement obtained by Bleeping Computer, the attackers disputed the claim that they had ever formed a cartel.

“We never had partners or official successors,” the attackers wrote. “Our specialists do not works with any other software. Nobody and never will be able to host new partners at our news website. The Maze cartel was never exists and is not existing now. It can be found only inside the heads of the journalists who wrote about it.” [sic]

In the days that followed, researchers observed some Maze affiliates moving to a new ransomware operation called “Egregor”. The crypto-malware itself appeared to be created from the same software as Maze, raising the possibility that the Maze attackers had simply rebranded their campaign. Whoever was commanding Egregor at the time quickly made waves when someone on Twitter posted about the group having hijacked their victim’s printers to print out physical copies of their ransom note.

What a surprise then, when the LockBit2.0 version arrived with that same capability in July 2021. Coincidence? Not likely.

Despite what the Maze attackers said in their farewell announcement, their cartel was real, and it still functions to this day. Analyst1 found that the cartel consisted of LockBit and three other groups as of April 2021. Together, those gangs use the cartel to share not only infrastructure and expertise but also victims’ stolen information.

This sometimes involves more than one ransomware group publishing the same information on their data leaks site. Other times, this involves groups publishing the data stolen by other cartel members.

On the Need for Better Ransomware Defenses

The case of Maze and LockBit highlights how some ransomware gangs share infrastructure, expertise, and even stolen data. Such collaboration helps ransomware groups to evolve and learn from one another, thus making it more difficult for security teams to defend against them—that is, unless they have the proper anti-ransomware solution in place.

The best strategy for organizations is to prevent a ransomware attack from being successful in the first place. To do that, they need to invest in a multi-layered solution that leverages Indicators of Behavior (IOBs) to detect and prevent a ransomware attack at the earliest stages of initial ingress, prior to the exfiltration of sensitive data for double extortion, and long before the actual ransomware payload is delivered.

The Cybereason Operation-Centric approach provides the ability to detect ransomware attacks earlier based on rare or advantageous chains of malicious behavior. This is why Cybereason is undefeated in the battle against ransomware and delivers the best prevention, detection, and response capabilities on the market.

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern ransomware. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed