Ransom Mafia


In February 2021, a multinational law enforcement task-force arrested several Ukrainian
men for supporting a long-standing ransomware gang known as Twisted Spider. The
gang, first seen in May 2019, is behind high-dollar enterprise ransomware attacks.
Unfortunately, the arrests had little impact, and several weeks later, in March 2021,
Twisted Spider operations continued. Twisted Spider often makes headlines, but it’s not
only due to their attacks. In June 2020, the gang issued a press release, claiming they
joined forces with several other well-known ransomware attackers to create a criminal
cartel. If this is true, this collaborative partnership, sharing resources and revenue, would
pose a far greater threat to the community than attacks from smaller individual gangs by

Analyst1 produced this report to address whether or not the Cartel actually exists, as
well as to help analysts better understand and defend against advanced ransomware
attackers. We conduct research and analysis to address the following goals:

  • Research and provide an analytical assessment to determine if the Cartel is real or a fabrication created to distract law enforcement and researchers.
  • Profile and assess each gang within the Cartel and determine their relationships with one another.
  • Identify the steps behind how each attacker breaches and extorts their victims. Understanding the attacker’s behavior and tactics will assist in formulating better defensive and mitigation processes
Visit Resource

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge