Maze ransomware 'cartel' expands with new members

The Maze ransomware "cartel" is growing.

Two more ransomware gangs, Conti and SunCrypt, have apparently joined the Maze collective, which currently consists of Maze, LockBit and Ragnar Locker.

In June, Maze operators announced the creation of a ransomware cartel that included other cybercrime gangs, which teamed up to share resources, leak victims' data on Maze's "news" site and extort their victims. BleepingComputer reported on Wednesday that SunCrypt has become a new member. According to the report, SunCrypt operators contacted BleepingComputer and said they had joined Maze's cartel.

SearchSecurity contacted the Maze operators via email for confirmation of the report but did not hear back.

Another gang has also begun working with the Maze ransomware cartel. According to Emsisoft threat analyst Brett Callow, the Conti ransomware gang, which recently launched its own data leak site, is collaborating with Maze. "They've published data from a number of Maze attacks," Callow said in an email to SearchSecurity.

Conti published stolen data from two victims listed on Maze's website; the leaked data appears on both sites, Callow said, so it's unclear which ransomware operators were behind the actual attacks (Conti's website was unavailable at press time). While the Maze site doesn't attribute those two attacks to different groups, it appears they are working together based on the information and Callow's input.

Conti was first identified in June, and the gang's leak site was launched more recently.

"Conti may be a replacement for Ryuk, which has seen a significant dip in activity in recent weeks," Callow said. "It shares some of its code with Ryuk, uses the same note and also the same infrastructure, which could indicate it was created by the Ryuk team or a splinter group."

In a new report on Thursday by cyber-risk intelligence vendor Cyble, researchers discovered Conti operators claimed to have attacked and stolen data from the Volkswagen Group.

"Recently, our researchers came across a leak disclosure post in which Conti ransomware operators claim to have allegedly breached the Volkswagen Group. Currently, the ransomware operators seem to have targeted one of the Volkswagen Group franchises based in Salzkotten, Germany," Cyble wrote in the report.

Volkswagen Group said only a single dealership in Germany was affected by the attack.

"A dealership in Germany has reported a hacker attack on its data. There was no unauthorized attempt to access Volkswagen's own IT systems. The dealership concerned has already taken extensive measures to secure its systems. Volkswagen offered the dealership support with the investigation and analysis," a Volkswagen Group spokesperson said in an email to SearchSecurity.

The further expansion highlights Maze's increasing momentum, which has claimed responsibility for several high-profile ransomware attacks in recent months. Earlier this month, a major cyberattack on technology giant Canon was believed to the latest work of the cybercriminal gang.