Ransomware gangs are teaming up to extort victims through a shared data leak platform, and the exchange of tactics and intelligence.
In November 2019, the Maze Ransomware operators transformed ransomware attacks into data breaches after they released unencrypted data of a victim who refused to pay.
Soon after, they launched a dedicated “Maze News” site used to shame their unpaid victims by publicly releasing stolen data.
This extortion tactic was quickly adopted by other groups, which now includes thirteen active ransomware operations known to leak stolen data if not paid.
Ransomware cartel formed
The Maze gang is once again stirring up the threat landscape by creating a cartel of ransomware operations to share resources and extort their victims.
Today, BleepingComputer was told by cyber intelligence firm KeLa that the Maze operators added the information and files for an international architectural firm to their data leak site.
What made this leak different was that the info was not from a Maze ransomware attack, but rather by another enterprise-targeting ransomware operation known as LockBit.
LockBit is a Ransomware-as-a-Service (RaaS) that began operating in September 2019 as a private operation.
They have since begun marketing themselves on Russian hacker forums where they encourage malware distributors and hackers to apply to their operation.
To learn more about this collaboration between Maze and LockBit, BleepingComputer contacted the Maze operators.
Maze confirmed that they are working with LockBit to share their experience and data leak platform. They also stated that another ransomware operation would be joining their collaborative group in the coming days.
“In a few days another group will emerge on our news website, we all see in this cooperation the way leading to mutual beneficial outcome, for both actor groups and companies.”
“Even more, they use not only our platform to post the data of companies, but also our experience and reputation, building the beneficial and solid future. We treat other groups as our partners, not as our competitors. Organizational questions is behind every successful business,” Maze told BleepingComputer.
When we asked Maze if they received a revenue share from any payments driven by their platform, we were told that they could not share these details.
They did state that they are in discussion with other ransomware groups to join this collaborative effort to generate ransom payments.
“We will post one new another group in a few days, and we await also few others to come in upcoming weeks,” Maze operators stated.
With the average ransom payment over $100,000, and some victims allegedly paying millions, enterprise-targeting ransomware operations working alone have been very successful.
By joining forces to share advice, tactics, and a centralized data leak platform, ransomware operations can focus more on creating more sophisticated attacks and successful extortion attempts.