The actors behind Ragnar Locker partnered with the Maze ransomware gang as a means of extorting victims whose unencrypted data they had stolen.
On June 8, the operator of the “Ransom Leaks” Twitter account revealed that Maze ransomware had begun using its infrastructure to share data leaks perpetrated by Ragnar Locker.
#MazeRansomware cartel is real. In addition to LockBit, they are providing infrastructure for RagnarLocker's leaks. Ragnar previously claimed Brunner breach. Now it is listed on Maze's leak site with attribution to RagnarLocker pic.twitter.com/uzNP4YdnXv
— Ransom Leaks (@ransomleaks) June 8, 2020
A threat which made headlines back in April when it demanded 1580 bitcoin (approximately $11 million) as ransom from Portuguese electric utilities company Energias de Portuga (EDP), Ragnar Locker became the second ransomware to avail itself of Maze’s data leak platform. LockBit joined up with Maze in early-June, as reported by Bleeping Computer.
Ragnar Locker stood apart from LockBit in that it already had its own data leaks site at the time of analysis. Bleeping Computer therefore wondered what benefit the Ragnar Locker actors might derive from this setup. The computer self-help site was also curious whether Maze collected a share of Ragnar Locker’s and LockBit’s ransom profits via this arrangement.
Either way, such a “cartel” of ransomware families doesn’t promise anything good for organizations or users going forward. Bleeping Computer noted this point in its research:
This continued cooperation between ransomware gangs is a concerning development. The sharing of advice, tactics, and a centralized data leak platform between different ransomware operations will only enable them to perform more advanced attacks, with potentially larger ransoms.
The Maze actors told the computer self-help website that other ransomware gangs were in discussion to join their cartel at a later time, as well.
Such collaboration highlights the need for organizations to strengthen their defenses against ransomware threats. One of the ways they can do this is by familiarizing their employees with some of the most common types of phishing attacks in circulation today. They should also follow these steps to prevent a crypto-malware infection in the first place.