Ransomware Group Cooperation: A Growing Challenge in the Fight Against Cybercrime

Ransomware Group Cooperation: A Growing Challenge in the Fight Against Cybercrime 1

In recent years, cybersecurity has faced an increasingly complex threat: collaboration among cybercriminal groups. It is now common to observe the same set of data being released by multiple malicious actors, with timelines ranging from a few days to several months. This phenomenon can be attributed to two main scenarios:

  1. Intentional collaboration among groups, where resources and information are exchanged strategically.
  2. Resale or sharing of exfiltrated data, where the initial attacker provides information to multiple actors.

Among the key players in these events is the Meow Leaks group, known for claiming “exclusive” attacks. However, a closer analysis reveals that in at least seven recent cases, listed in the table below, the declared victims’ names had already been disclosed by other actors. This raises suspicions that the group may not be the original perpetrator of the breaches but rather an intermediary in the resale or reuse of stolen data.

Ransomware Group Cooperation: A Growing Challenge in the Fight Against Cybercrime 2

The last victim listed in the table, the Australian property valuation company Herron Todd White, stated to journalist Daniel Croft that the dataset exfiltrated by Meow Leaks on November 14 is the same as the one previously exfiltrated by the BlackSuit group in April this year.

This duplication of data was confirmed by Herron Todd White to the Australian news outlet Cyber Daily

[…] We have ongoing cyber security monitoring in place and our investigation has provided no evidence that any unauthorised third party has accessed our systems, and this does not represent a new incident or compromise of our systems.”

Based on the nature of the claim and the data involved, the advice we have received from our external cyber security experts is that this is the same data set that was the subject of a cyber incident experienced in April 2024 […]

In recent days, we reached out to Meow Leaks with a direct question

Hi, in the next few days we will write an article about the cases of victims previously hit by other groups (BlackSuit mainly) that you listed later. I will give you some examples because it is starting to be a number too high to talk about “coincidences” or unconnected attacks. We believe instead that we are dealing with a single attack and a double claim ))
BlackSuit victims, just a few examples in addition to the one I already mentioned yesterday (Herron Todd White). If you want to comment

This was Meow Leaks’ response

I can’t tell you exactly, but I know that my partners hack into the company several times and download it. Maybe there is a decrypter for the lockers, if the files are not encrypted ).

We asked Meow Leaks what they specifically meant by the phrase, ‘Maybe there is a decrypter for the lockers, if the files are not encrypted.’

Their response, once again, was vague.

Hi! I mean we dont have encrypted files in sale, all files are clean

We reached out to Meow Leaks once again, asking them to be more specific and to confirm or deny whether the datasets linked to the victims listed in our table were new or related to previous breaches

So you confirm that the data of the victims you have are part of different attacks and that they have nothing to do with those listed by other groups?

Meow Leaks has not responded to our follow-up inquiry.

Looking back, the phenomenon of collaboration among criminal groups has become increasingly frequent. Many groups stem from internal splits or unite forces to expand the scope and effectiveness of their attacks. Beyond data sharing, these groups exchange tools, techniques, and even zero-day exploits, amplifying the damage inflicted on victims.


Key Cases of Group Interoperability

 

Collaboration in the Context of Microsoft Exchange

One of the most notable examples of interoperability relates to the shared exploitation of vulnerabilities in Microsoft Exchange software. In March 2021, groups such as Hafnium and ProxyLogon exploited critical vulnerabilities to exfiltrate data from thousands of victims. Hafnium, associated with state-sponsored operations, was the first to exploit these flaws. However, groups like Conti and REvil later leveraged the same vulnerabilities to target commercial entities. This case highlights how different actors, with seemingly divergent objectives, can share techniques and tools, magnifying the overall impact of breaches.

Maze and Egregor: The Birth of a New Group

In 2020, the Maze and Egregor groups demonstrated how internal splits could lead to the creation of more powerful threats. Both known for using double extortion tactics (encryption and data publication threats), the two groups shared advanced techniques, such as leveraging zero-day exploits. After Maze ceased its activities, some members contributed to Egregor’s establishment, creating a direct connection between the two entities. This cooperation enabled them to target a larger number of victims within a relatively short period.

DoppelPaymer and REvil: Shared Resources

In 2021, DoppelPaymer and REvil actively collaborated to combine their resources. Both groups utilized sophisticated ransomware tools and techniques, such as credential dumping, to access highly secure systems. This collaboration led to a series of high-profile attacks, including those targeting sensitive sectors like healthcare and finance. The cooperation between the two groups demonstrated how sharing techniques could increase the effectiveness of attacks and bypass even the most advanced defenses.

Medusa and BlackByte: A Deadly Approach

In 2022, Medusa and BlackByte collaborated to strengthen their attacks on companies in Europe and North America. Both groups leveraged malware that allowed remote access to corporate systems, sharing techniques such as Remote Desktop Protocol (RDP) exploitation and exfiltration tools like Mimikatz. This made their attacks extremely challenging to prevent, with many companies forced to pay hefty ransoms to avoid data publication.

The Avaddon Case and the RaaS Model

Another emblematic case involves Avaddon, a group dismantled by authorities in 2021. Despite this, its members reemerged within other groups, such as BlackByte. The ability to reorganize and combine resources clearly demonstrates the evolving dynamics in the cybercrime landscape. With the adoption of the Ransomware-as-a-Service (RaaS) model, groups like Avaddon and BlackByte began collaborating with external actors who operated as tenants, leveraging already-compromised infrastructures and data. This gave rise to a broad and complex ecosystem, where data exfiltrated by one group could be resold or used for new attacks by other, unaffiliated actors.

AvosLocker and BlackByte: An Intricate Network

In 2022, AvosLocker and BlackByte adopted RaaS strategies to allow smaller groups to rent infrastructure and launch targeted attacks. These groups not only shared tools but also exfiltrated data, creating an intricate exchange network. For instance, while AvosLocker focused on phishing attacks and RDP exploitation, BlackByte utilized highly sophisticated malware that ensured greater persistence within compromised networks.


The interoperability among ransomware groups represents a growing threat in the cybersecurity landscape. These actors no longer operate in isolation but regularly collaborate, exchanging resources and data to maximize the impact of their operations. The introduction of models like RaaS has further amplified the scope of these activities, creating a highly interconnected ecosystem.

Countering these threats requires a global effort, with law enforcement and organizations developing increasingly sophisticated strategies to monitor and prevent these dynamics.

Ransomware Group Cooperation: A Growing Challenge in the Fight Against Cybercrime 3