Ransomware victims keep paying, and ransomware groups keep growing

Graham Cluley writes:

The City of Florence in northern Alabama has agreed to pay a ransom of US $300,000 worth of Bitcoin to hackers who compromised its computer systems and deployed ransomware.

At an emergency meeting this week, the Florence City Council unanimously voted to give in to the extortionists’ demands and pay the cybercriminals behind the attack.

Read more on HotForSecurity. As a public entity, I would guess that the payment would eventually become public knowledge, but it doesn’t help when people see that victims are willing to pay — it may just encourage more potential ransomware operators to become an affiliate or team up with an established ransomware group.

This past week, we have seen evidence of what looks to be like a growing criminal organization:  Maze Team announced that it had collaborated with other ransomware teams. One of the listings on Maze’s ‘name and shame’ site involved Ragnar ransomware. On the Ragnar operator’s blog, they link to Maze’s listing for ST Engineering with a note “Provided by Maze.” But it is not yet clear what exactly Maze provided in the way of help.  Maze had previously attacked ST Engineering in March of 2020. It appears, however, that there was a second attack in May of 2020 that also involved Ragnar.

But the Ragnar collaboration is not the only other ransomware collaboration Maze Team noted recently. Another incident, involved LockBit ransomware, was also noted on Maze’s website. That incident involved an architectural firm, the Smith Group.

Those collaborations — whether you view this all as a syndicate, a cartel, a RICO enterprise, or whatever — appears to be only the beginning. The signs of growing  criminal organization are all there, with various threat actors reaching out to find partners, or contractors, offering splits like 70/30 or 80/20 down the road.

To the extent that Maze has had a lot of experience and seems to have a working system/panel for tracking what they are doing and coordinating, they seem well positioned to take point and to faciliate wannabe ransomware threat actors who have less supports or organization. They also somewhat established themselves as leaders and innovators by developing the double-ransom model (one ransom for decrypting, one ransom for destroying exfiltrated copies of data) and for using a “name and shame” site to increase pressure on victims by public exposure and publicly dumping some of the victim’s data.  More recently, the Sodinokibi (REvil) team has introduced its own twist: an auction platform where people can bid on databases from victims who would not meet their demands.  So far, no one bid on either of their first two auctions, so they wound up just dumping the data publicly. What will happen with other auctions remains to be seen.

Maze collaborating with others has benefits for them but also poses risks. As but one example, if others they collaborate with should not adhere to promises made to victims, it will come back to bite Maze by future victims not believing them.   But for now, I think we all need to buckle up and expect these different ransomware groups to start collaborating more. We should also expect more ransomware teams to open up their own websites to name and shame, or to use Maze’s platform to put pressure on their victims.

Bottom line: I expect it’s going to get a lot worse out there before it gets better.

About the author: Dissent

Comments are closed.