Partners in Crime: How Ransomware Gangs Are Working Together

By now, it’s clear that paying the ransom won’t necessarily help ransomware victims to recover their data. Paying up also doesn’t guarantee that victims will be safe from secondary attacks. According to our ransomware report, 80% of organizations that opted to pay a ransom demand ended up suffering another attack. Nearly half (46%) of those victims said they believed that the same attackers had infected them again, while 34% felt that it might have been someone else.

The last finding reflects how ransomware actors are working together to maximize their profits. But that raises some questions: What does collaboration between ransomware groups look like? Are there multiple avenues of collaboration open to ransomware attackers?

Crypto-Malware Cartels

Sometimes, this collaboration involves ransomware attackers who decide to form cartels with other attack groups. One ransomware cartel took shape back in June 2020, as an example. At the time, Bleeping Computer reported that the Maze ransomware gang had published the information and files for an international architectural firm on its data leaks site. The data did not stem from one of Maze’s attacks, however. Rather, it originated from an incident involving the LockBit group.

Bleeping Computer contacted the Maze operators to find out more about what was going on. In response, the Maze gang said that it was working with LockBit to share its data leaks website along with its attack experience. It also indicated that it was working to bring other ransomware attack groups into its cartel.

Sure enough, a week after its original report, Bleeping Computer wrote that Maze’s data leaks site had published the information for a victim claimed by the Ragnar Locker operation.

Multiple Layers of Infection

It’s also possible for multiple ransomware strains to come together around a single attack. Such is the potential behind a new technique called “double encryption.” As reported by Wired, this tactic can involve two separate gangs who compromise a victim at the same time or a single actor who deploys multiple ransomware strains against the victim.

Within those scenarios, double encryption can take on one of two forms. The first variety, known as “layered” encryption, is an infection where attackers use one ransomware strain to encrypt a victim’s data before using another crypto-malware payload to encrypt it again. The second form uses “side-by-side” encryption where attackers leverage one strain to encrypt some of a victim’s data and the other strain to encrypt the remaining information.

Why Ransomware Collaboration Concerns the Security Community

Ransomware gangs are bad enough when they’re operating by themselves. Put them together, and they’re even worse, as they can feed off each other. That’s what happened in the case of Maze’s cartel. Per Bleeping Computer’s reporting in September 2020, LockBit ultimately decided to launch its own data leaks site after serving in Maze’s cartel. No doubt that experience helped to inform the gang’s double extortion efforts going forward.

As for double encryption, recovery becomes so much more difficult when multiple ransomware strains are involved. In the case of side-by-side encryption, victims need to know which systems suffered an infection by which ransomware so that they can deploy the necessary decrypter. They won’t be able to successfully recover their data otherwise. Layered encryption carries a similar challenge, only this time, organizations need to know which decrypter to deploy first.

Ransomware Prevention Capabilities are Key

The best ransomware defense for organizations is to focus on preventing a ransomware infection in the first place. Organizations need visibility into the more subtle Indicators of Behavior (IOBs) that allow detection and prevention of a ransomware attack at the earliest stages. Cybereason delivers industry leading ransomware protection via multi-layered prevention, detection and response.

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern ransomware. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed