In February 2021, a multinational law enforcement task-force arrested several Ukrainian men for supporting a long-standing ransomware gang known as Twisted Spider . The gang, first seen in May 2019, is behind high-dollar enterprise ransomware attacks. Unfortunately, the arrests had little impact, and several weeks later, in March 2021, Twisted Spider operations continued . Twisted Spider often makes headlines, but it’s not only due to their attacks . In June 2020, the gang issued a press release, claiming they joined forces with several other well-known ransomware attackers to create a criminal cartel . If this is true, this collaborative partnership, sharing resources and revenue, would pose a far greater threat to the community than attacks from smaller individual gangs by themselves .
Analyst1 produced this report to address whether or not the Cartel actually exists, as well as to help analysts better understand and defend against advanced ransomware attackers . We conduct research and analysis to address the following goals:
- Research and provide an analytical assessment to determine if the Cartel is real or a fabrication created to distract law enforcement and researchers .
- Profile and assess each gang within the Cartel and determine their relationships with one another .
- Identify the steps behind how each attacker breaches and extorts their victims . Understanding the attacker’s behavior and tactics will assist in formulating better defensive and mitigation processes .
Analyst1 spent time digging through criminal marketplaces where Cartel gangs have a presence to research and analyze the criminal entities within the alleged Cartel . We explored the malware and tools the groups use, tracked their bitcoin transactions, and studied relevant reports from other researchers in the field alongside select media outlets .
Our research identified several key findings:
- Analyst1 observed Cartel affiliated gangs distributing/posting victim data across leak websites belonging to other gangs within the Cartel . In other words, one gang breached and stole data from a victim and passed it to another gang to post publicly and negotiate with the victim .
- Analyst1 observed multiple gangs within the Cartel coordinating via Cartel leak websites, including sharing tactics, command and control infrastructure, and sharing/ posting victim data.
- Attackers are moving towards automating their attacks. Multiple gangs have added automated capabilities into their ransom payloads, allowing them to spread and infect their victims without human interaction .
- Ransom demands continue to increase . Collectively, gangs in the Cartel generated hundreds of millions of dollars from ransomware and data extortion operations .
- Several Cartel gangs offer Ransomware as a Service (RaaS), hiring hackers to execute attacks while providing them with malware, infrastructure, and ransom negotiation services .
- Attackers are becoming bolder — they are now conducting PR interviews with reporters, issuing press releases, and leveraging social media ads and call centers to harass and pressure victims into paying .
- Attackers are reinvesting profits made from ransom operations to advance both tactics and malware to increase their success and revenue. Malware is updated regularly, adding new sophisticated features .
- One gang, Wizard Spider, developed unique malware geared towards espionage . Analyst1 could not validate how Wizard Spider uses it in attacks . It’s existence alone is troubling . We found no other gang in the Cartel that uses or develops espionage malware .
We present other detailed findings and assess the overall Cartel theory in the conclusion of this report .
For the Full Report (PDF): Press Here
By Jon DiMaggio, April 7, 2021, published on Analyst1