The rise of ransomware gangs has become one of the most concerning threats for individuals and organizations alike. These gangs—often operating in a highly organized and professional manner—have been known to disrupt entire industries, steal sensitive data, and demand millions of dollars in ransom payments. But one question that often arises is whether these gangs are all interconnected or if they operate in isolation. The answer, as it turns out, is a bit more complex than one might expect.
The Ransomware-as-a-Service Model
One of the primary factors contributing to the apparent interconnectedness of ransomware gangs is the Ransomware-as-a-Service (RaaS) model. This business model allows cybercriminals to rent or buy ransomware tools from other criminals. In essence, it’s a “service” where the ransomware gang creates and manages the malicious software while other affiliates (often less experienced hackers) deploy the attacks.
The RaaS model means that many gangs may not be working directly together but are, in fact, using the same tools, tactics, and infrastructure. For example, if one group develops a new strain of ransomware, they might offer it to other groups through dark web forums or underground networks. This cross-pollination of tools creates a shared ecosystem where gangs might not be “working together” per se, but they are certainly using overlapping resources.
Shared Infrastructure and “Affiliate” Networks
Some ransomware groups have been known to share infrastructure, such as servers, ransomware payloads, and even ransom negotiation tactics. The infrastructure that facilitates the attack—such as encrypted communication channels, payment portals, and exfiltration servers—often overlaps between different groups.
The infamous REvil gang, for example, was known for partnering with several other smaller ransomware groups, who would often share similar tactics and payloads. After REvil was taken down in 2021, some of its affiliates appeared to regroup under new names or continue their operations with modified ransomware strains. This suggests that while the gangs might rebrand themselves or operate under different aliases, the underlying infrastructure might remain similar or interconnected.
The Role of Ransomware Marketplaces
Dark web marketplaces are another significant factor in the interconnectedness of ransomware gangs. These marketplaces serve as “hubs” for cybercriminals, offering a place for them to exchange ransomware tools, data exfiltration techniques, and other malicious resources.
Marketplaces like XSS and Empire have become notorious for allowing ransomware operators to buy and sell exploits and malware—essentially creating an ecosystem where gangs can collaborate or compete, depending on their goals.
In many cases, gangs use these marketplaces to sell stolen data or other illicit materials. This overlap creates a situation where many gangs are indirectly tied to each other, even if they don’t share direct operations or leadership. The stolen data or tools might change hands several times before finally being utilized in an attack, further connecting these entities.
Alliances and Informal Collaborations
Although there’s no formal “ransomware cartel” running the show, informal collaborations between different gangs do exist. For instance, one gang might specialize in breaching a particular industry (like healthcare), while another focuses on exploiting certain vulnerabilities in the system. They may share information or even help each other out if it benefits their individual goals.
Some researchers have noted that certain ransomware groups tend to target the same victims or industries, which might hint at informal alliances or shared objectives. Additionally, when one group is taken down or disbanded (for instance, the recent takedown of Conti), it’s not uncommon for its members to join forces with other gangs, adopting similar tactics and continuing their operations under a new name.
Rivalries and Competition
Despite the significant overlap, there are also fierce rivalries within the ransomware world. In fact, some gangs operate almost like competitors in a cutthroat business. For example, if two gangs target the same victim at the same time, they might engage in a bidding war for the ransom, with each group trying to outbid the other in terms of pressure tactics or ransom demands.
This competition can also be seen in the “public shaming” of victims. When a victim refuses to pay or goes public with their breach, different gangs might exploit the situation, trying to take advantage of the chaos and disrupt each other’s operations. The rivalry between REvil and Maze was particularly notorious, with both gangs often targeting the same companies and vying for dominance in the ransomware space.
Conclusion: A Web of Connections, Not a Unified Network
To answer the original question: while not all ransomware gangs are directly interconnected, there is a significant web of connections between them. These connections often emerge through shared resources, affiliate networks, ransomware-as-a-service platforms, and dark web marketplaces. However, due to the competitive nature of the cybercrime world, these connections don’t necessarily equate to formal partnerships or collaborations.
In many cases, the interconnectedness is more about sharing tools and infrastructure rather than unified action. The result is an increasingly complex and dangerous cybercrime ecosystem, where different gangs can work together indirectly while still maintaining their independence and rivalry.
As cybersecurity experts continue to track these groups, the relationships between them will likely evolve. With law enforcement and international cooperation ramping up, it’s possible that we may see more targeted efforts to disrupt these informal networks in the future. But for now, ransomware gangs continue to operate in the shadows—both independently and interconnected in a global web of cybercrime.
Join our LinkedIn group Information Security Community!
