A second ransomware gang has partnered with Maze Ransomware to use their data leak platform to extort victims whose unencrypted files were stolen.
Before encrypting a victim’s network, most network-targeting ransomware operations will steal a victim’s unencrypted files. These files are then used as leverage by threatening to release them publicly on data leak sites if a ransom is not paid.
Last week, we reported that the LockBit ransomware had teamed up with Maze Ransomware to use their data leak platform and share intelligence to drive successful extortions.
This cooperation essentially created a ‘cartel’ of independent and competing ransomware operations who collude with each other to increase profits and increase the success of their attacks.
Maze ransomware told BleepingComputer that another ransomware operator would be joining in a few days. Others were in discussion to join at a later time.
“In a few days another group will emerge on our news website, we all see in this cooperation the way leading to mutual beneficial outcome, for both actor groups and companies.”
Ragnar Locker joins ‘Maze Cartel’
The Maze operators also have adopted the ‘cartel’ label that we associated with their cooperation with competing ransomware operations.
It should be noted LockBit does not operate a data leak site, and thus benefits from using Maze’s platform.
Ragnar Locker, on the other hand, does have its own leak site, so it unknown what they gain from this cooperation.
It is not known how Maze benefits from this cooperation, but it could be a piece of the profits for victims who fall for this extortion tactic.
This continued cooperation between ransomware gangs is a concerning development. The sharing of advice, tactics, and a centralized data leak platform between different ransomware operations will only enable them to perform more advanced attacks, with potentially larger ransoms.