ArchiveOODA Original

The Next Evolution of Ransomware Gangs: Collaboration

Ransomware gangs continue to evolve their tactics to stay one step ahead of network defenders and those tracking their developments.  Increased reporting that ransomware gangs – particularly Russian groups – are collaborating with one another is another example of this type of evolution.  The joining of forces enables these groups to share advice, targeting information tactics, and a data leak program, all of which contribute to executing more sophisticated attacks.  What’s more, these partnerships are proving successful and yielding substantial financial gains.  The more accomplished ransomware gangs are driving this trend, an indication that these groups are monitoring press and news reports of ransomware activities and pivoting to sustain their successful operations while they evade law enforcement and intelligence interest.

Collaboration comes in various forms. The first indication of this emerged in June 2020 with the Maze ransomware group posting stolen data from an architectural firm on its leak website and members of the LockBit ransomware gang using it for their own targeting purposes.  An alleged member stated the Maze team shared its experiences and data leak platform with their LockBit counterparts and was looking at the time to recruit another ransomware operation into the collaboration. Then in July 2021, a cyber security company published a report in which it found that several Russian cyber-criminal groups had agreed to form a partnership. According to the report, Twisted Spider, Wizard Spider, Viking Spider, and LockBit shared hacking techniques, stolen data breach information, malware code, and operational infrastructure. Also in 2021, the Federal Bureau of Investigation (FBI) issued an alert detailing the activities of the OnePercent ransomware gang.  The FBI revealed that the group would sell stolen victim data to the REvil gang (before it disbanded) to auction off.

On the surface, it should not be surprising that sophisticated cyber-criminals see the benefit of working together, especially those that have demonstrated proficiency in the execution of such crimes.  Collaboration allows groups to pool expertise and thereby increase their chances of operational success while reducing exposure by divvying up responsibilities in larger campaigns.  But perhaps more worrisome is evidence that building such relationships and fostering cooperation is not reserved solely for criminal gangs. In August 2021, another cyber security company report revealed connections between individuals connected to Russian intelligence and Russian ransomware groups.  Per the report, the company tracked specific individuals linking them to ransomware members. While such an association is disconcerting, it should be clear that this does not implicate the Russian government as these individuals may be operating outside any official capacity.  Still, it can be presumed that they may be using or contributing knowledge obtained from their intelligence profession and/or technical resources for the benefit of ransomware campaigns.

The continued professionalization of ransomware campaigns has been well documented.  Their continued evolution reinforces the belief that ransomware operators are unlikely to curb their efforts largely because they have not been stopped.  The greatest strength of the more accomplished gangs is the ability to reinvent and rebrand themselves, applying lessons learned from their own previous activities as well as those of other gangs prior to starting new campaigns. This allows these groups to refine all aspects of their efforts (e.g., group makeup, recruitment, forming partnerships, etc.), which is essential to sustaining their operations in a global cybersecurity climate that has a microscope on the ransomware menace.

The emergence of the BlackMatter ransomware gang is a perfect example.  Born out of the “retirements” of REvil and DarkSide gangs, BlackMatter publicly stated that it wouldn’t target critical infrastructures, a nod to the pressure designed for deterrence applied to the REvil and DarkSide groups (causing both to fold after their disruption of Colonial Pipeline and the meat supplier JBS).  There are plenty of other large organizations in BlackMatter’s crosshairs able to pay large ransom demands, and the group seeks to gain exclusive access to them at a high price point.

In any criminal ecosystem, the bottom line is paramount.  The extent to which the major ransomware gangs continue collaboration will depend on the ongoing profitability of these endeavors.  As long as these partnerships facilitate success, there is no reason to expect groups not to form alliances, even if they are temporary.  Moreover, different groups may have expertise in different areas thereby making cooperation a logical undertaking.  In this way, groups essentially vet each other’s capabilities, establish their bona fides, and create a self-sustaining workforce where talent is a shared commodity.  While U.S. President Joe Biden’s meeting with his Russian counterpart may have been viewed as a success for curbing Russian ransomware gang targeting of U.S. critical infrastructures, this agreement only affects Russian cybercriminals, not the other ransomware gangs that might try to fill the void. Recently, the FBI warned that at least a few gangs are targeting organizations in the food and agriculture sector, impacting food supply services.  The alert did not cite if the gangs were Russian or not.

As evidenced by the Russian example stated above, persons tied to nation-states working with these criminals further complicates the picture, particularly if their involvement assumes a larger role – as previously moonlighting assets become a full-time asset for nation-states to use for motivations other than financial benefit. The 2017 NotPetya attack is an example of ransomware-as-punishment, where a state executed a ransomware attack to disrupt operations, and not collect payment.  Now that ransomware gangs steal data from organizations as well as encrypt compromised machines, it may be fundamentally more difficult to ascertain the intent of attacks or their attribution.  Stolen information can be passed to the sponsoring government, while the ransomware team can still coerce victims for ransom payments.  This may only serve to encourage governments to provide tacit protection of these elements for their own purposes.

One thing is clear: consistent evolution and refinement of tactics sustain the future of ransomware operations.  While there have been temporary disruptions of their activities, any gains made have proven of little consequence especially when teams dissolve only to reappear under a new moniker. Failure of global law enforcement and intelligence cooperation to aggressively identify, arrest and prosecute these gangs only enables their existence.  And that must change. Otherwise, ransomware gangs will keep their advantage.

Opportunities for Advantage

All of this exponential disruption means we must make focused efforts to gain advantage. Stay informed on a variety of these critical issues at and during our monthly OODA Network meetings and Salons.


Become A Member

OODA Loop provides actionable intelligence, analysis, and insight on global security, technology, and business issues. Our members are global leaders, technologists, and intelligence and security professionals looking to inform their decision making process to understand and navigate global risks and opportunities.

You can chose to be an OODA Loop Subscriber or an OODA Network Member. Subscribers get access to all site content, while Members get all site content plus additional Member benefits such as participation in our Monthly meetings, exclusive OODA Unlocked Discounts, discounted training and conference attendance, job opportunities, our Weekly Research Report, and other great benefits. Join Here.

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking

Artificial Intelligence Sensemaking: Take advantage of this mega trend for competitive advantage

This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking

COVID-19 Sensemaking: What is next for business and governments

From the very beginning of the pandemic we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily daily intelligence as well as pointers to reputable information from other sites. See: OODA COVID-19 Sensemaking Page.

Space Sensemaking: What does your business need to know now

A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking

Quantum Computing Sensemaking

OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See: Quantum Computing Sensemaking.

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast

Emilio Iasiello

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.