Did 4 Major Ransomware Groups Truly Form a Cartel?

Did 4 Major Ransomware Groups Truly Form a Cartel?
An analysis of well-known extortion groups and their cryptocurrency transactions reveals the answer.

A collection of ransomware groups that banded together to create a "cartel" rarely collaborate and don't share profits, suggesting that concerns over a sprawling cybercriminal organization are overblown, according to Analyst1.


The four cybercriminal groups — Twisted Spider, Viking Spider, Wizard Spider, and the Lockbit Gang — announced at different times throughout summer 2020 that they would be working together but gave few other details. By November, when Twisted Spider — also known as the Maze group — closed down, it denied there had ever been a cartel.


In a nearly 60-page report, Jon DiMaggio, a former contractor for the National Security Agency (NSA) and now chief security strategist at threat intelligence firm Analyst1, investigated whether the groups had actually joined forces. While he documented their sharing of data breach information, cross-posting of data, and sharing of techniques, he never saw any revenue sharing or coordination between the groups, he says.


"If you go look up what a cartel is ... the one driving theme is when these organizations work together and share profits with one another," DiMaggio says. "What I did not ever see, even one time, is one gang paying another gang. At the end of the day, they can call themselves a cartel, but I don't think they are a cartel."


The report delves into the convoluted details of the past year, a time during which ransomware attacks more than doubled. In May 2020, Twisted Spider announced it had joined with the LockBit group to form a cartel to "share their experience and data leak platform," according to one r ..