In February 2021, a multinational law enforcement task-force arrested several Ukrainian men for supporting a long-standing ransomware gang known as Twisted Spider . The gang, first seen in May 2019, is behind high-dollar enterprise ransomware attacks. Unfortunately, the arrests had little impact, and several weeks later, in March 2021, Twisted Spider operations continued . Twisted Spider often makes headlines, but it’s not only due to their attacks . In June 2020, the gang issued a press release, claiming they joined forces with several other well-known ransomware attackers to create a criminal cartel . If this is true, this collaborative partnership, sharing resources and revenue, would pose a far greater threat to the community than attacks from smaller individual gangs by themselves .

Analyst1 produced this report to address whether or not the Cartel actually exists, as well as to help analysts better understand and defend against advanced ransomware attackers . We conduct research and analysis to address the following goals:

  • Research and provide an analytical assessment to determine if the Cartel is real or a fabrication created to distract law enforcement and researchers .
  • Profile and assess each gang within the Cartel and determine their relationships with one another .
  • Identify the steps behind how each attacker breaches and extorts their victims . Understanding the attacker’s behavior and tactics will assist in formulating better defensive and mitigation processes .


Key Findings

Analyst1 spent time digging through criminal marketplaces where Cartel gangs have a presence to research and analyze the criminal entities within the alleged Cartel . We explored the malware and tools the groups use, tracked their bitcoin transactions, and studied relevant reports from other researchers in the field alongside select media outlets .

Our research identified several key findings:

  1. Analyst1 observed Cartel affiliated gangs distributing/posting victim data across leak websites belonging to other gangs within the Cartel . In other words, one gang breached and stole data from a victim and passed it to another gang to post publicly and negotiate with the victim .
  2. Analyst1 observed multiple gangs within the Cartel coordinating via Cartel leak websites, including sharing tactics, command and control infrastructure, and sharing/ posting victim data.
  3. Attackers are moving towards automating their attacks. Multiple gangs have added automated capabilities into their ransom payloads, allowing them to spread and infect their victims without human interaction .
  4. Ransom demands continue to increase . Collectively, gangs in the Cartel generated hundreds of millions of dollars from ransomware and data extortion operations .
  5. Several Cartel gangs offer Ransomware as a Service (RaaS), hiring hackers to execute attacks while providing them with malware, infrastructure, and ransom negotiation services .
  6. Attackers are becoming bolder — they are now conducting PR interviews with reporters, issuing press releases, and leveraging social media ads and call centers to harass and pressure victims into paying .
  7. Attackers are reinvesting profits made from ransom operations to advance both tactics and malware to increase their success and revenue. Malware is updated regularly, adding new sophisticated features .
  8. One gang, Wizard Spider, developed unique malware geared towards espionage . Analyst1 could not validate how Wizard Spider uses it in attacks . It’s existence alone is troubling . We found no other gang in the Cartel that uses or develops espionage malware .

We present other detailed findings and assess the overall Cartel theory in the conclusion of this report .


For the Full Report (PDF): Press Here


By Jon DiMaggio, April 7, 2021, published on Analyst1

Recent Posts