September 15

Increasing collaboration among cybercrime gangs


You probably already know that the image of cybercriminals as lone hackers toiling away in a basement somewhere on their own — whether for their own amusement, to earn glory among other hackers, or to sabotage or steal from specific targets — is a very long way from the modern reality.

Today, cybercriminal gangs are organized and sophisticated, operating more like modern software companies or traditional organized crime families. Or to be more precise, traditional organized crime has moved into the cybercrime space, driving out the older “mom-and-pop” operators.

Some of the more notorious gangs are Cobalt, Lazarus, MageCart, and Evil Corp.

Cybercrime specialization

Each of these gangs has its own specialty and its own motivation — which need not be solely financial gain.

  • Cl0p is a group that pioneered the use of ransomware for “double extortion” — first extracting payment in exchange for a decryption key, and then demanding a second payment in exchange for not disseminating the data that was not only encrypted but also stolen.
  • REvil is a ransomware-as-a-service gang that has made headlines in recent years, launching attacks on behalf of paying clients and dividing the profits with them. Russian authorities claimed to have dismantled the group in 2022 and arrested several of its members.
  • The Syrian Electronic Army is regarded as a hacktivist group because its primary objective is the dissemination of propaganda and fake news via credible outlets.
  • DarkSide delivers cybercrime-as-a-service and is known for attacks on large corporations and industrial infrastructures. This gang also hosts forums where attendees learn to improve their cybercrime skills, for instance by strategically combining different types of attacks.
  • MageCart is emblematic of a newer trend, as it is a syndicate made up various gangs working together. It has focused on e-commerce hacking, breaching large organizations like British Airways and stealing credit-card data for hundreds of thousands of people.

Intergang collaboration

Two recent reports from Security Intelligence document the growing trend of multiple gangs working together to increase efficiency and revenues.

In a 2019 article, Security Intelligence noted that data from the 2019 IBM X-Force Threat Intelligence Index revealed previously unseen collaboration between groups that targeted the banking industry using various types of Trojans. In particular, the study found that two popular Trojans, TrickBot and IcedID, had been modified by the respective gangs that operate them to work together, each one dropping the other into infected systems. It noted that while cybercrime gangs often copy each other’s tactics, the innovations introduced into these two Trojans clearly indicated a deliberate collaboration between the two groups.

In addition, it was found that TrickBot was increasingly being used to introduce Ryuk — a type of ransomware that at the time was innovative for its use of sophisticated reconnaissance to locate targets’ most valuable data.

In the same report, Security Intelligence identified further evidence of intergang collaboration involving the use of Gozi and Ramnit malware.

2022 Collaboration

In a 2022 report on that year’s IBM X-Force Threat Intelligence Index, Security Intelligence focused on the cybercrime group ITG23, which developed TrickBot and continues to deploy evolving versions of it.

In this report they analyzed data regarding the use of crypters built by ITG23. Crypters are applications that are used to encrypt malware in a way that makes it undetectable by antivirus scanners.

Their analysis found that throughout the previous year, versions of ITG23’s crypters were being used by a large number of cybercrime groups other than ITG23, including the developers of Emotet, IcedID, Qakbot, and MountLocker. This is a strong indication that these groups are working in partnership with ITG23.

Further evidence shows that ITG23 has scaled back or discontinued the use of its formerly flagship malware, TrickBot and BazarLoader. At the same time, they’ve scaled up their development of crypters by creating a crypter “build machine” that essentially automates the mass production of crypter applications. This is a further indication of how the cybercrime economy is evolving to be based on widespread collaboration among disparate groups.


What does all this mean for organizations and IT professionals like you? Well, the bottom line is that the threat landscape is changing rapidly, as criminal gangs discover and exploit the efficiencies to be gained by collaboration and specialization. Which in turn means that the ongoing onslaught of ransomware attacks and large-scale data breaches is going to continue.

Security strategies and technologies will, of course, respond by developing new ways to combat these attacks, but targets will continue to suffer damage. And that means it’s critically important for organizations of all kinds to understand the keys to recovering from ransomware quickly and effectively, to minimize operational and other impacts.

  • Practice! The best advice on how to get to Carnegie Hall is also the best advice for dealing effectively with security incidents. You need to develop a response plan that involves multiple roles — and you need to practice it by gaming out different scenarios based on your organization’s most valuable and/or vulnerable systems.
  • Back up! If your data is encrypted, destroyed, or sabotaged, the single most important factor in recovery is being able to restore that data from backup as quickly as possible. Advanced solutions like Barracuda Backup and Cloud-to-Cloud Backup make it extraordinarily simple and fast to specify exactly which files and/or servers need to be restored and to get them back, to minimize costly downtime.
  • Secure! Prevent the vast majority of attacks from succeeding, by ensuring that you’ve done all you can to fully secure your email system — by far the top vector for initiating attacks. A comprehensive, full-featured email protection platform like Barracuda Email Protection combines advanced antivirus, inbox protection, impersonation protection, security-awareness training, automated incident response, and more to keep successful intrusions into your system to an absolute minimum. Advanced application security like that delivered by Barracuda Application Protection is also a powerful way to combat modern, multi-vector attacks.

To get more detailed information on the evolution of ransomware — information that can help you allocate your cybersecurity resources as effectively as possible — download the Barracuda 2023 Ransomware Insights report.


You may also like

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Get in touch

0 of 350