In February 2021, Ukraine men were arrested for supporting the long-standing ransomware gang known as ”Twisted Spider”. The gang, first seen in May 2019, is behind high-dollar enterprise ransomware attacks. However, the arrests had little impact and operations continued in March 2021. In June 2020, the gang issued a press release claiming they joined forces with several other well-known ransomware attackers to create a criminal cartel. This report aims to determine the existence of the cartel, profile each gang within the cartel and identify the steps behind how each attacker breaches and extorts their victims.
Key findings include observing Cartel Affiliated gangs distributing or posting victim data across leak websites belonging to other gangs within the cartel, multiple gangs within the cartel coordinating via cartel leak websites and attackers moving towards automating their attacks.
Ransom demands continue to increase and several cartel gangs offer ransomware as a service known as Raas, hiring hackers to execute attacks while providing them with malware infrastructure and ransom negotiation services.
The question is, who is behind ransomware? The simple answer is Attackers are becoming valorous, conducting PR interviews with reporters, issuing press releases, and leveraging social media ads and call centres to harass and pressure victims into paying.
Attackers are reinvesting profits made from ransom operations to advance both tactics and malware to increase their success and revenue. Malware is updated regularly, adding new polished features.
One gang, Wizard Spider, developed unique malware geared towards espionage, but its existence alone is troubling. No other gang in the cartel uses or develops espionage malware.
Four ransomware gangs currently exist within the cartel, twisted spider viking spider wizard spider and lockbit gang. The suncrypt gang is no longer active but they previously claimed allegiance to the cartel and have since retired.
