In recent months, cybersecurity researchers have exposed a tangled web of hidden alliances among leading ransomware operations, reshaping how defenders perceive these threats.
Historically treated as distinct entities—Conti, LockBit, Evil Corp, and others—ransomware groups have evolved into a dynamic marketplace where code, infrastructure, and human capital flow freely between operators.
The transformation accelerated after major disruptions such as the Conti takedown in mid-2024, forcing affiliates to scatter and rebrand under new banners.
The result is a fractured ecosystem where attribution based solely on ransomware family names is increasingly unreliable.
Domaintools analysts identified overlapping infrastructure footprints and shared binary artifacts that point to resource pooling rather than isolated criminal factions.
Passive DNS records, shared SSL certificates, and duplicate command-and-control domains revealed that multiple groups have leveraged the same bulletproof hosting providers, suggesting either direct collaboration or common affiliations at the affiliate level.
.webp "Researchers Uncover Hidden Connections Between Ransomware Groups and Relationships Between Them 3")
These infrastructure overlaps underscore the necessity for defenders to track underlying assets and behaviors instead of surface-level brand labels.
Beyond infrastructure, detailed code analysis has uncovered striking similarities in encryption routines and persistence modules.
A comparative disassembly of the loader stages for both Black Basta and QakBot highlights identical opcode sequences in the memory-resident decryptor, indicating code reuse or direct lineage.
In one instance, the decryption stub found in Black Basta’s initial loader closely mirrors the QakBot routine, differing only by offset values:-
for (int i = 0; i < encryptedSize; i++) {
decrypted[i] = encrypted[i] ^ key[(i + keyOffset) % keyLen];
}This snippet illustrates how affine key indexing enables polymorphic encryption across multiple malware families, complicating signature-based detection.
Infection Mechanism: Fileless Deployment and Persistence
Delving deeper into the infection mechanism reveals a sophisticated fileless approach designed to evade endpoint defenses.
Attackers first exploit exposed RDP services or phishing vectors to deploy a lightweight PowerShell loader in memory.
Once executed, this loader uses the Windows API’s VirtualAlloc and WriteProcessMemory functions to inject a second-stage payload directly into the explorer.exe process.
A sample persistence tactic involves writing a registry key under HKCU:SoftwareMicrosoftWindowsCurrentVersionRun that executes the loader with base64-encoded parameters at user logon.
Domaintools researchers noted that this in-memory injection not only bypasses traditional AV scans but also leverages legitimate system binaries to blend in with normal operations.
By understanding these hidden alliances and infection tactics, cybersecurity teams can prioritize detection of shared infrastructure and code patterns, enabling more resilient defenses against a threat landscape defined by human-driven modularity and rapid rebranding.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Source link
