Counter to initial fears, researchers say the ransomware cartel formed by the Maze cybergang starting in May 2020 never hit its stride.
Indeed, experts who spoke with SC Media said they doubt enough incentive currently exists for competing threat actors to overcome the inherent challenges in working collaboratively and developing a revenue-sharing model. If they ever were able to form an effective alliance, however, the resulting cooperative could present a significant danger to victims as they evolve their skills and weapons.
A new research report published Wednesday, authored by Analyst1 Chief Security Strategist Jon DiMaggio, provided findings of a months-long study of criminal marketplaces and crypto transactions as a means of tracking the cartel. At various times that included the operators of Maze, RagnarLocker, SunCrypt, LockBit and Conti/Ryuk ransomware.
Following the investigation, Analyst1 researchers concluded that they did not see any substantial evidence of cartel members sharing or splitting each others’ profits. For that reason, they believe the partnership between cartel members was somewhat overhyped.
“Profit-sharing is the primary element missing in the coalition of ransomware attackers discussed,” DiMaggio wrote. “Cartels are dangerous due to the large financial resources that profit-sharing provides.”
Other experts familiar with the ransomware scene shared similar observations.
“SunCrypt claimed there was some profit and intel-sharing involved, but we haven't yet observed [any] financial evidence,” said Madeleine Kennedy, senior director of communications at Chainalysis. Likewise, Jeremy Kennelly, senior manager of analysis with FireEye’s Mandiant Threat Intelligence unit, told SC Media there may have been some one-off cases of profit sharing, but there were no indications of that happening regularly.
Alec Alvarado, threat intelligence team lead at Digital Shadows, also agreed that that the ransomware cartel “failed to fully capitalize on the concept of joining forces, as they haven’t necessarily cornered the ransomware market in the way that you would expect a joint group to accomplish.”
DiMaggio did discredit claims on the part of the Maze ransomware actors last year that no cartel initiative existed at all. In November 2020, when the Maze group actors suddenly announced publicly that they were shutting down operations – many threat intel experts believe the gang simply evolved into Egregor – they backtracked on their previous boasts that they were forming a cartel, claiming that it only ever existed “inside the heads of the journalists who wrote about it.”
But that’s not accurate. While the partnership never materialized into the threat it could have been, there was some degree of collaboration between groups, said the Analyst1 report, noting that they did share attack techniques and stolen or leaked data sets with each other. Indeed, Chainalysis earlier this year noted shared ransomware-as-a-service affiliate users between Maze, Egregor, SunCrypt and DoppelPaymer, and also observed Maze adopting TTPs from RagnarLocker.
“We believe the gangs created the cartel facade to appear larger, stronger [and] more powerful to further intimidate victims into paying ransom demands,” said the Analyst1 report. “The illusion and public claims made about the cartel achieved the desired effect.”
Kennelly was less convinced about the intimidation factor, but thinks the primary strategy may have been to recruit a collection of actors that could also benefit from operating under well-known Maze (aka Twisted Spider) brand – “where you can trust that if you pay, you get decryption keys and decryption tools and support.”
The problem, however, is that there is more downside than upside to this arrangement. For starters, the parties involved have to agree on a profit-sharing system – no small feat.
“There is no financial incentive to this approach, since criminals will want to keep 100% of the profits for themselves,” said John Shier, senior security advisor at Sophos. “There are also competitive advantages that they wouldn't want to share with their competitors. Sharing infrastructure and other resources could lead to single points of failure that can be exploited by law enforcement."
Alvarado concurred. “The competitive nature of the ransomware landscape and the potential for conflict between money-hungry threat actors would lead me to believe the relationship likely did not come to fruition completely,” he said of the Maze cartel.
“There is potential that some of the individual ransomware operators intermingled and potentially left one variant for another, but the development of a true cartel would be difficult to accomplish,” Alvarado continued. “The sharing of profits would probably be a touchy subject and would be a point of conflict, and would likely be a hurdle that would need to be addressed.
On top of that, consider the fact that most ransomware actors have access similar tools required to pull off their attacks, Kennelly noted. They also all can develop relationships with initial access brokers or bulletproof hosting services, who as vertically integrated cybercrime partners bring to the table valuable capabilities and skills that a redundant ransomware partner can’t provide.
“So I don't see that there is a strong incentive for [two] actors to cooperate in a world where… both of them have fairly well-established brand names, both of them have fairly complex and capable malware that they deploy, both of them have a stable of effective intrusion groups that are operating on their behalf [or] have existing infrastructure for hosting leaked data,” said Kennelly.
Another problematic issue is that the well-publicized formation of the cartel brought “global attention from law enforcement and government entities,” said the report. Indeed, Analyst1 believes that the unwanted attention may have been what prompted the group to feign retiring and pretend the cartel never existed. “For the same reasons, Twisted Spider stopped communicating publicly, and they no longer use social media or press releases to voice their demands,” the report noted.
Kennedy similarly noted that such cybercriminal relations can create a traceable digital paper trail of sorts. “While ransomware administrators and affiliates joining forces may offer some financial and practical benefits to the groups, these connections can also be valuable intel for law enforcement,” she said. “Evidence of common affiliates, service providers and laundering services are powerful leads. If law enforcement can identify and act against groups controlling multiple ransomware strains, or against OTCs enabling multiple ransomware strains to cash out their earnings, then they’ll be able to halt or impact the operations of several strains with one takedown.”
In late 2020 and 2021 law enforcement did score a series of victories against cybercriminal actors in short order, shutting down certain operations, seizing assets and/or making arrests related to Egregor ransomware, NetWalker RaaS and the Emotet botnet.
Leadership is another issue. “Individual egos may be the biggest hurdle for gangs to overcome to maximize the benefit of forming a cartel… That is also one reason I think the cartel failed,” DiMaggio told SC Media. “Twisted Spider wanted to lead the cartel, but never really seized the opportunity to provide clear direction to the other gangs. Future criminals will have to overcome the same hurdle.”
"However, if they do, the potential threat and attack capability will significantly increase," he added. "If gangs can agree on central leadership to make decisions and direct attacks and share profits, I think we would be in trouble."
Indeed, it’s certainly possible that a more formidable opponent could emerge in the future, and to that end Analyst 1 does expect ransomware groups to continue to share tactics and resources, quietly behind the scenes.
In particular, the Analyst1 report warns that ransomware gangs could focus their efforts on evolving tools to automate their attacks, and then share that technology – because in this case, it’s easier to see how everyone mutually profits.
"The new capabilities gangs are introducing into their ransomware demonstrate that automation is essential,” the report states. "Analyst1 believes this trend will continue making ransomware operations more efficient and dangerous. As automation capabilities increase, the use of affiliate hackers will decrease. This means ransomware gangs do not have to share profits with affiliates, thus increasing the revenue derived from each attack. With the decrease in the timeframe it takes to execute each attack, Analyst1 believes the overall volume of attacks will grow, raising the number of victims extorted.”
DiMaggio told SC Media that ransomware groups are quickly becoming more sophisticated and could try something like this cartel relationship again.
"It is fair to say the individuals behind the attacks are intelligent and learn from their mistakes and realize the potential to take advantage of tactics used by other groups," he said. "If gangs realize the benefits of an organized, structured hierarchy that shares resources and finances, they would be far more efficient and dangerous. This time, the attempt to form a cartel failed, but it's unlikely the last time we see gangs join forces."