Resecurity’s HUNTER (HUMINT) unit has identified a notable collaboration between three prominent ransomware groups – BianLian, White Rabbit, and Mario Ransomware. This revelation emerged during a Digital Forensics & Incident Response (DFIR) engagement with a law enforcement agency and a leading investment organization in Singapore, among other victims. The joint extortion campaign was primarily focused on publicly-traded financial services firms.
In this collaborative ransomware effort, Resecurity noted the gangs’ use of a ‘password spraying’ attack, employing multiple Residential IP Proxies based in the Asia-Pacific (APAC) region. The attackers leveraged Business Email Compromise (BEC) as the vector for delivering ransom payment demands anonymously. Compromised email accounts belonging to other organizations were utilized to complicate the investigation.
Such cooperative ransom campaigns are relatively rare but may be increasing due to the involvement of Initial Access Brokers (IABs) collaborating with multiple groups on the Dark Web. Additionally, law enforcement interventions leading to the dispersal of cybercriminal networks could contribute to greater collaboration among rival groups. The systemic significance of IABs in the cybercriminal underworld has created a more fluid threat landscape, where ransomware operators move between groups based on financial considerations.
