Bleeping Computer reports that the SunCrypt hack group, standing behind the development of the same-name ransomware, and which has been active since fall 2019, has joined forces with operators of other ransomware. What’s more, SunCrypt seems to have joined the famous cybercriminal group, the Maze Cartel.
In June of this year, we already talked about the fact that the operators of the Maze ransomware began to provide their platform for data leakage to other hacker groups. Then the ransomware operators LockBit and Ragnar Locker joined Maze, and the conglomerate of hacker groups began took a proud name of the Maze Cartel.Let me remind you that at the end of 2019 creators of the ransomware began to “work” according to a new scheme that allows them to receive more money from victims.
Essentially, the criminals are demanding two ransoms from the affected companies: one for decrypting data, and the other for removing information that the hackers stole during the attack. In the case of non-payment, the attackers threaten to publish this data in the public domain – on their own sites created specifically for this purpose”, – say Bleeping Computer journalists.
It all started with the operators of the Maze ransomware, who began to publish files they stole from the attacked companies if the victims refused to pay. The hackers set up a dedicated website for these leaks, and other groups soon followed the scheme, including Ako, Avaddon, CLOP, Darkside, DoppelPaymer, Mespinoza (Pysa), Nefilim, NetWalker, Ragnar Locker, REvil (Sodinokibi) and Sekhmet.
When the Maze cartel first was formed, its members refused to speak to reporters and explain the benefits of this collaboration. Now, SunCrypt operators have told Bleeping Computer that they will continue to operate as an independent group, but have two-way communication with the Maze. The hackers explained that Maze members cannot cope with the current volume of tasks on their own and need help.
They simply cannot cover all available fields of activity on their own. And our main specialization are ransomware attacks”, — say the SunCrypt operators.
After further questions, the hackers explained to the publication that they share the proceeds from successful operations with Maze, although they did not say exactly how the Maze members are involved in the events and what exactly they are doing to “earn” their share.
Journalists speculate that if Maze does not manage on its own, the group is likely giving other cartel members access to compromised companies (in exchange for a share of the income). Based on the SunCrypt ransomware sample studied by BleepingComputer, the cartel members are unlikely to get anything more.
The publication says that after launching SunCrypt on the infected company’s network, the malware connects to the URL http://91.218.114[.]31, where it transfers information about the attack and the victim. This IP address appears to be an important key to understanding what services Maze provides to its cartel members. So, this is one of the addresses that Maze uses in their own campaigns as well. Devices infected with Maze ransomware also transmit information to this IP address during attacks.
The public’s use of an IP address means that either Maze operators share their infrastructure with other groups, or give access to their technology to them. This use of the same resources partly explains why Maze operators get their share of every ransom payment.
