Ransomware operations have evolved from distinct groups into a collaborative ecosystem, making it increasingly difficult for cybersecurity defenders to identify and track them. Historically, groups like Conti and LockBit were seen as separate entities, but researchers have uncovered a new reality where these operations freely share resources like code, infrastructure, and even personnel. This shift accelerated following significant disruptions, such as the takedown of the Conti ransomware group, which caused its members to disperse and rebrand. As a result, simply identifying a threat by its ransomware family name is no longer a reliable method for attribution. Security analysts have found overlapping infrastructure and shared code, pointing to a new era of resource pooling rather than isolated criminal factions.
The evidence for these hidden alliances is rooted in technical overlaps in infrastructure and code. Researchers have found that multiple ransomware groups use the same bulletproof hosting providers, as shown by shared SSL certificates and duplicate command-and-control domains. This suggests a common affiliation among affiliates or direct collaboration between different groups. These shared resources highlight the need for defenders to focus on tracking the underlying assets and behaviors of attackers rather than just their surface-level brand names. By shifting the focus to these technical footprints, defenders can gain a more accurate understanding of the threats they face.
Beyond shared infrastructure, detailed code analysis has revealed striking similarities in the core components of different ransomware families. For example, a comparison of the loader stages for Black Basta and QakBot showed identical sequences of opcodes in their memory-resident decryptors, which indicates code reuse or a direct lineage between the two. In one specific instance, the decryption routine in Black Basta’s initial loader was nearly identical to one found in QakBot, differing only by offset values. This is a clear example of how techniques like affine key indexing are used to create polymorphic encryption across multiple malware families, which makes it much harder for traditional signature-based detection to work.
The infection mechanisms used by these groups are also becoming more sophisticated, with a focus on fileless deployment to evade defenses. The typical attack begins with an initial breach, often through exposed RDP services or a phishing attack, to deploy a small PowerShell loader that runs entirely in memory. This loader then uses Windows API functions to inject a second-stage payload directly into a legitimate system process like explorer.exe. This fileless approach helps the malware bypass traditional antivirus scans and blend in with normal system operations. A common persistence tactic involves creating a registry key that executes the loader with encoded parameters every time the user logs on.
By understanding these shared behaviors and technical overlaps, the cybersecurity community can move beyond brand-based attribution and adopt a more effective, behavior-centric approach to defense. The collaborative nature of these criminal enterprises means that a single successful defense strategy may not be sufficient, as attackers can quickly pivot and adopt techniques from their peers. The future of cybersecurity defense must focus on tracking the core assets and tactics that link these groups, rather than chasing their ever-changing names.
Reference:
