At the end of 2019, the creators of the extortionate malware began to “work” according to a new scheme, which allows them to receive more money from victims. In fact, they require two ransoms from the affected companies: one for decrypting the data, and the other for deleting the information that the hackers stole during the attack. In the case of non-payment, attackers threaten to publish this data in the public domain. Now cryptographic operators Maze, LockBit, and Ragnar Locker have joined forces to found Maze Cartel.
It all started with Maze ransomware operators that began publishing files that they had stolen from the attacked companies if the victims refused to pay. Hackers started a special site for such “dumps”, and soon DopplePaymer followed their example. Then other groups caught the idea, including Sodinokibi, Clop, Sekhmet, Nephilim, Mespinoza, Ako, Netwalker and so on.Now, Bleeping Computer journalists are reporting that Maze operators have gone even further and started providing their platform to other hacker groups. So, last week LockBay ransomware operators joined Maze, who didn’t have their own website to “dump” the stolen data.
Attackers told the media that they agreed not only to upload dumps on a shared platform, but also to exchange information and tactics. The first collection of information stolen not as a result of the Maze attack (but as a result of the LockBit attack) was already posted on the group’s website.
They not only use our platform to publish company data, but also our experience and reputation, creating a profitable and lasting future. We treat other groups as our partners, and not as competitors. Every successful business has organizational issues”, — said Maze malware representatives in an interview with Bleeping Computer.
In addition, the hackers promised that very soon another group would join them, and so it happened. Bleeping Computer writes that now, hoping to increase their profits and the percentage of successful attacks, the creators of the Ragnar Locker malware joined the Maze operators. Now a conglomerate of hacker groups proudly calls itself a “cartel” – Maze Cartel.
Interestingly, Ragnar Locker had its own platform for “stealing” stolen information, and it is not clear what benefit they will have from cooperation with Maze operators.
Journalists note that the partnership of hacker groups raises certain concerns, since the exchange of information, tactics and the presence of a centralized platform for “dumps” will allow attackers to carry out more complex attacks and potentially extort large ransoms from victims.