Although different ransomware gangs operate in the same niche of cybercrime, they are rivals that don’t share their tactics, techniques, and procedures with like-minded bad actors. Conspiracy is a way to maintain a “competitive advantage” that involves infection vectors, cryptographic implementation, operations security (OPSEC), and peculiarities of the Command & Control (C2) infrastructure. These groups are much like lone wolves that hunt down prey on their own and hate it when other predators enter their territory.
This unspoken principle has recently changed, though. Several independent extortion campaigns initiated a merger to create a cartel-type entity that uses common tools and exchanges knowledge about ransomware deployment schemes.
Maze ransomware breaks new ground
A once-marginal ransomware lineage called Maze has been the driving force of the cyber blackmail evolution since November 2019. Back then, its authors showed their ambitions by pioneering in the implementation of a dual extortion model. In addition to encrypting an organization’s data, they inflict an extra sucker punch by stealing it.
Maze operators then threaten to spill these corporate secrets into the wild to pressure the victim into paying the ransom. To take this disgusting ultimatum tactic further, they have set up a site named “Maze News,” where they publish files belonging to non-paying businesses. More than a dozen ransomware groups have since followed suit.
In early June 2020, the gang made another unprecedented move. It teamed up with a previously unrelated ransomware syndicate known as LockBit. Security analysts discovered this plot when Maze’s leak site was updated with a batch of files pilfered from an international architectural company. The inconsistency was that this information had been reportedly obtained in a raid by LockBit rather than Maze.
LockBit debuted last year as a Ransomware-as-a-Service (RaaS) platform actively promoted in the Russian cybercrime underground. It homes in on enterprise networks. Having hit an organization through phishing or an unsecured remote desktop protocol (RDP) connection, its distributors use post-exploitation tools to exfiltrate as much data as they can find. This is what happened to the company whose files ended up on the Maze “public shaming” site.
To dot the i’s and cross the t’s in this story, researchers at the Bleeping Computer security resource tried to get in touch with Maze operators. On a side note, these white hats have a long track record of communicating with ransomware authors on different occasions. This time, they asked whether or not Maze and LockBit had established some kind of a partnership.
Believe it or not, the felons replied. They confirmed that they were cooperating with the LockBit crew. The purpose of forming this wicked tandem was to use a single data leak platform and share expertise regarding different stages of the extortion workflow.
Maze actors emphasized that they treated the joining group as partners rather than competitors. They also announced that one more cybercriminal ring would enhance the “union” shortly. They refused to provide commentary about the cartel’s revenue-sharing principles, though.
Another gang jumps on the hype train
A few days after the collaboration with LockBit was confirmed, the Maze group welcomed a new accomplice – a ransomware family called Ragnar Locker. In contrast to LockBit that never had a leak website of its own, the newbie had created such a resource long before the merger. It’s, therefore, unclear what motivated the felons to start working under the same umbrella. The main theory is that the perpetrators would be getting a cut from the combined illicit profits.
On June 9, a portion of information stolen from a US-based marketing agency called Brunner was uploaded to Maze’s site for data dumps. This attack had been previously attributed to Ragnar Locker, which provided extra proof that the evil alliance was real.
The inner workings of the cartel
When the activity of the newly formed extortion trio was in full swing, the story took an unexpected turn. In late August, the above-mentioned Bleeping Computer security outlet was contacted by representatives of a ransomware group called SunCrypt, which was first spotted in October 2019.
In their message, the malefactors claimed to have recently become a part of the Maze coalition. Surprisingly, these black hats didn’t mind revealing some intricate details of the dodgy teamwork. According to SunCrypt actors, the primary reason why Maze proprietors have been inviting other gangs to collaborate is that they could no longer handle all the operations on their own.
This statement contradicts the earlier narrative about simply sharing intelligence and offensive tools for mutual benefit. It turned out that the perpetrators took too much on and needed outside assistance to keep their nasty business up and running.
The felons also mentioned that Maze operators had gained a foothold in an undisclosed number of enterprise networks but lacked time and resources to execute the extortion onslaughts. Therefore, they decided to outsource the actual attack function to the associates in exchange for a cut of the future ransom earnings.
Around the same time, security enthusiasts came across a sample of the SunCrypt ransomware and analyzed it extensively. This scrutiny revealed a clue about the collaboration between SunCrypt and Maze, confirming the statements previously made by the former gang.
According to these findings, the deleterious program is executed in a host network through a surreptitious PowerShell script. When running, its underlying DLL component encrypts all potentially valuable data found on the networked computers. It also concatenates each filename with a different hexadecimal hash and drops ransom notes into all folders containing scrambled data.
Whereas this is a classic tactic used by the vast majority of ransom Trojans, there is something that makes SunCrypt stand out from the crowd. Once deployed, it establishes a connection with a particular IP address (18.104.22.168) to submit the details about the victim to its operators.
The involvement of this IP in the SunCrypt attack chain speaks volumes about its ties with the Maze campaign. Here is why: the Maze group uses public IP addresses, including this one, to host its data leak site and C2 infrastructure. Despite this ostensibly lame OPSEC, none of the malicious resources has been knocked offline by law enforcement.
It looks like the extortionists behind Maze have masterminded a way to make the web backbone of their operation fly below the radar of regulatory authorities. Now, they appear to be sharing this know-how with partners operating under the same hood.
By the way, in another round of correspondence with security researchers, Maze denied being in cahoots with SunCrypt and stated that the less successful gang was simply trying to feign affiliation with the notorious cartel to instill fear in victims. However, the use of a common IP address to mount new attacks and amass information about infected businesses is at odds with this refutation.
The first-ever ransomware alliance formed by the Maze group is another milestone in the evolution of cybercrime. The operators of other impactful strains such as Sodinokibi, Ryuk, and Clop will likely follow in the footsteps of their agile counterparts, as they did with the data leak strategy introduced almost a year ago.
By sharing skills, technologies, and centralized platforms for data dumps, extortionists can boost the success rate of their attacks. This, in turn, will probably lead to an increase in the average size of the ransom down the road. Under the circumstances, proactive defenses, security awareness training programs, and data backups are more important for organizations than ever before.