Ransomware gangs unite to form poster-style structures

Recent ransomware attacks by well-known cyber-criminal groups suggested that gangs are forging cartel-style alliances to pressure their respective victims to pay what they demand as ransom.

Cointelegraph has gained access to what appears to be a Darknet site belonging to the Maze group. On the site, Maze has been leaking stolen data since Sunday.

The central feature to note is that the gang claims that Ragnar Locker, another ransomware group, provided the information, as the title of the blog post says: „MAZE CARTEL Provided by Ragnar“. Some of the victims mentioned are companies based in the United States.

Ransomware attack exposes 1.5 TB of stolen aerospace data

Speaking to Cointelegraph, Brett Callow, a threat analyst at the Emsisoft malware lab, stated that the Ragnar Locker leak site is currently offline, suggesting that he may have removed the site permanently and plans to distribute all future leaks through Maze. However, he clarified that this is not yet confirmed.

Data leakage becomes a pattern in Maze’s ransomware attacks
Maze has been leaking data stolen from ransomware attacks against companies in different industries through the group’s darknet website when victims refuse to pay the ransom.

Cyber intelligence company Kela revealed that sometime in the first week of June, Maze operators added another set of stolen data, but from another ransomware gang known as LockBit.

The Maze ransomware group hacked two plastic surgeons

Will future alliances be forthcoming?
In statements sent to Bitcoin Lifestyle on June 3, the Maze group said the following:

„In a few days another group will emerge on our news website, we all see in this cooperation the path that leads to a mutually beneficial outcome for both the stakeholder groups and the companies.

Average ransom payments requested by the groups exceed USD 100,000 per incident, often in Bitcoin (BTC) and Monero (XMR). In some reports, victims are said to have paid up to „millions“ of dollars.

A well-known egg distributor is the new victim of ransomware – will the chickens put up Bitcoin?

Callow commented on the stolen Ragnar Locker data available on Maze’s site:

„It is likely that Ragnar Locker relies on the name recognition of the Maze group to put even more pressure on the companies to meet their demands. While this is only the second type of collaboration we know of, it is likely that other groups will join the cartel if they believe it would be financially beneficial to them.