A new ransomware group that has already run five successful ransomware attacks has joined the Maze cartel. In so doing, SunCrypt has provided some information on how the cartel works.
The Maze Cartel
The Maze cartel came into being in June 2020 and was formed by the Maze, a well-established Russian cybercriminal group. Maze was the group that introduced the technique of stealing victims’ data and then threatening to publish it online if the victim did not pay. Previously the data was just being encrypted and victims could sometimes get around paying the ransom by restoring from backup.
Initially the cartel comprised of Maze and LockBit, which started operations in September 2019. However, soon after the cartel was also joined by Ragnar Locker. LockBit, like Nemty ransomware, provides Ransomware-as-a-Service (Raas). It is known for its ability to spread itself to encrypt hundreds of devices within hours of breaching a network. Ragnar Locker on the other hand, targets Microsoft Windows devices and was first observed in December 2019.
Then last week the relatively new SunCrypt ransomware group joined the cartel. SunCrypt began operations in October 2019 and has five victims to its name. Unlike other ransomware, SunCrypt’s renames the encrypted files by appending a string of random characters as their new extension. Other ransomware groups usually just append the name of the ransomware to encrypted files’ extensions.
How Does the Cartel Work?
When the cartel was first formed, the members refused to explain the benefits of this collaboration. However, when SunCrypt joined, they provided some insight on how the cartel works and the benefits to its members.
SunCrypt explained that they would continue to operate as an independent group but collaborate with Maze cartel members. Although SunCrypt did not explain the basis of this collaboration, they did reveal that proceeds from successful operations are shared with Maze. Consequently, journalists speculate that for Maze to get a portion of the proceeds, they are probably sharing infrastructure and compromised network access with cartel members. Another possibility is that Maze is white labelling their ransomware technology to cartel members. A white label product is a product or service produced by one firm that other firms rebrand to make it appear their own.
SunCrypt also explained that the cartel was formed because Maze “just can’t handle all the available field operations.” Maze shares information and techniques amongst members of the cartel and the members help each other extort their victims.