The ransomware syndicate created by the operators of the Maze ransomware has added another group to its ranks.
Ransomware operations that target business networks will often steal a victim’s unencrypted files before encrypting the rest of their network. Cybercriminals do this so that they can use these files as leverage in case victims fail to pay its ransoms. If the ransom isn’t paid, then the unencrypted files will be leaked online via a data leak site.
Last year, the Maze ransomware group launched a data leak site of its own called Maze News which it uses to shame victims into paying by publicly releasing their stolen data. However, the group took things a step further recently when it decided to create a ransomware syndicate with other ransomware operators to exchange tactics, intelligence and extort victims through its data leak platform.
The operators of the LockBit ransomware were the first group to join Maze’s ransomware syndicate but now another competing ransomware group named RagnarLocker has joined as well. In a post on Twitter, Ransom Leaks provided further details on the newest member of the ‘cartel’, saying:
“The MazeRansomware cartel is real. In addition to LockBit, they are providing infrastructure for RagnarLocker’s leaks. Ragnar previously claimed Brunner breach. Now it is listed on Maze’s leak site with attribution to RagnarLocker”
While LockBit does not operate its own data leak site, RagnarLocker does which means the group has less to gain by joining the syndicate. However, RagnarLocker could still be benefiting from the arrangement by being associated with the Maze gang and by sharing tactics and intelligence with it and LockBit.
At this time, it is still unknown how the Maze gang benefits from its ransomware syndicate but the group could be collecting a portion of the profits from the stolen data auctioned off on its Maze News site. Also, there is power in numbers in addition to the benefits of sharing intelligence and exchanging tactics with other cybercriminals.