Recent research revealed that a Cartel of four gang allegedly has been distributing and posting the collected data across the leak website. The suspected four gangs that were thought to be working in a cartel include Wizard Spider, Viking Spider, Twisted Spider, and LockBit.
What was discovered?
There are many pointers that points towards the existence of the Cartel.
- Multiple gangs are coordinating using cartel leak website. They may be sharing tactics and C2 infrastructure.
- The report stated that one ransom gang steals a data and passes it to another gang to post it publicly.
- Multiple gangs have added automation to their ransomware to be able to infect their victims without human contact.
- The ransomware gangs together made hundreds of millions of dollars from ransomware and extortion operation.
The Linking among the gangs-
There were two main connections among the gangs-
- Shared data leak sites
- Shared Infrastructure
The Twist in the Story-
In November 2020, Twisted spider made a announcement about the closing of their operations. They also claimed that no such cartel ever existed!
The coalition mentioned above were missing a very important element which qualifies a partnership into a cartel. This element is profit sharing; Researchers did not find any profit sharing when they were tracking the crypto currency accounts. These factors point towards the conclusion that the association was not a cartel but a simple collaboration among different groups.
The Second Twist-
Some researchers have the opinion that Twisted spider has been under constant attention of law enforcement and other government entities. This fact has pressured them to make false statement about its retirement from the cyber crime world. They believe that they are still operative, but keeping themselves under cover an not displaying publicly any kind of collaboration.
It has not been clear if there was any actual cartel. But nevertheless, a collaboration between ransomware group is very dangerous due to the sharing of financial resources and attack infrastructure.