Constella Web Logo white e1703116556868

The Major Ransomware Cartel That Didn’t Exist

michael geiger JJPqavJBy k unsplash scaled 1

Among the nastiest of tools on a cybercriminal’s tool belt is ransomware. According to the FBI, in 2020 the Internet Crime Complaint Center (IC3) received 2,474 ransomware complaints that totaled $29.1 million in damages. That averages nearly $11,800 per incident. Alarmingly, incidents of ransomware attacks are on the rise and are considered a “hot topic,” according to IC3. Security researchers believe this highly popular cyber-crime might have lent itself to the creation of a first-of-its-kind cyber cartel. 

What is Ransomware?

If you like watching crime dramas, you might be familiar with the concept of ransom: a criminal kidnaps a person important to their target and extorts money in exchange for their return. While kidnap for ransom is a relatively uncommon crime, the concept lives on in the digital world. Ransomware “kidnaps” the files on your computer and demands payment to have your data restored. Once installed on your computer, ransomware will prevent you from accessing your files, then displays a message demanding payment, or else your files will be destroyed or made public. This technique is very lucrative for cybercriminals, as more than 40% of victims of these attacks reluctantly pay to recover their data, despite warnings from the U.S. government against doing so.  

“40% of victims of ransomware attacks reluctantly pay to recover their data”

How Big is this Threat?

A successful ransomware attack does not require a skilled hacker. There are talented hacker groups that develop the necessary tools for the attack, but nearly anyone can purchase them and begin targeting victims. However, as authorities crack down on cybercrime, and security teams patch exploits and vulnerabilities, ransomware creators need to stay ahead of these obstacles to remain in business. In a time of heightened cybersecurity awareness, cyber gangs have recognized the power in combining forces with competing gangs. When collaborating, these gangs pose a more significant threat. Therefore, it makes a lot of sense for these groups to collaborate and form a cartel, exchanging tools and techniques to become a more powerful cybercriminal enterprise.  

In May 2020, the Twisted Spider and Maze cyber gangs recruited the help of the attackers behind RagnarLocker, SunCrypt, LockBit, and Conti/Ryuk ransomware to form a cartel, or so they stated publicly. However, in a later press release, Twisted Spider claims the cartel never existed, but researchers have evidence of these cyber gangs sharing infrastructure and resources. In light of Twisted Spider’s claims conflicting with evidence of collaboration, security analysts made use of market-leading investigation tools to arrive at a conclusion about the existence of this alleged cartel. 

What Did Security Researchers Determine?

Chief Security Strategist at Analyst1, Jon DiMaggio, published a research paper, analyzing cartel’s activities, concluding that while these gangs collaborated, they did not exchange funds and so their cooperation does not truly qualify as a cartel. Analyst1 used the Constella Intelligence Hunter platform to track cryptocurrency payments surrounding these attackers’ activities. 


Figure 1: SunCrypt ransom payment in BitCoin via the Constella Hunter Intelligence Platform


The Hunter platform allows cyber investigators to start with something as simple as a suspected cybercriminal’s email address or moniker and pivot on associated data to uncover the suspect’s other identifiers. As it turns out, even hackers get hacked–and Constella captures the breach data that makes these investigations possible. Among Hunter’s capabilities is tracking cryptocurrency transactions, which was very telling of the ransomware cartel’s activities. Hunter can be used to search for Bitcoin addresses and to review the transaction information as well as any identifying details connected to that address, such as emails, IP addresses, and usernames.

“Constella’s Hunter allows us to more efficiently gather and enrich our threat intelligence to identify the threats that matter most & attribute identities.”

— Jon DiMaggio | Chief Security Strategist | Analyst1

After analyzing transactions to Bitcoin wallets known to be associated with cyber gangs, Analyst1 found payments flowing in from victims, but failed to identify any transactions between different gangs. DiMaggio concluded that while these gangs collaborated, posing an increased threat, there is no evidence to suggest they combined financial resources, which disqualifies the group as a cartel.  

What Now?

Cartel or not, ransomware still poses a threat to you. The most important step in protecting yourself is recognizing such threats exist and remaining alert to suspicious activity. The most likely ways your computer can become infected with ransomware are through software vulnerabilities and email phishing. Be sure to keep your software up to date on all of your devices, scrutinize suspicious emails for irregularities, and consult with a security expert to learn how you can optimize your security settings.  

And if you want to unmask adversaries and obtain actionable intelligence leading to more efficient and effective investigations, request a Hunter demo with one of our threat intelligence specialists.

By Keon Ramezani, Solutions Architect at Constella Intelligence