Researchers find financial ties between notorious ransomware gangs

It's the latest indication that Maze, Egregor and other groups may be run by a relatively small number of people.
Ransomware lock depiction
(Nattapon Kongbunmee / Getty Images)

The number of ransomware strains that lock up systems throughout the global internet might suggest an immeasureable number of independent hackers are plundering victims’ data.

In fact, new research suggests that digital extortion specialists are more closely connected than they may appear. Researchers at Chainalysis, a software firm that works with law enforcement agencies, on Thursday said they have found connections that suggest collaboration between hackers who have used the Maze, Egregor, SunCrypt and DoppelPaymer hacking tools.

Each of these groups operate as ransomware-as-a-service, meaning they lease access to their malware to affiliates who then run ransomware attacks, which can make attribution trickier. When tracking some recent ransom payments to the Maze gang through a series of intermediaries, researchers determined that Maze was sharing some of the payout with a suspected SunCrypt cutout, according to a blog on the research, which was published Thursday. Maze has been tied to attacks against victims including Canon and Xerox, often publishing stolen data if victims refused to pay.

The transaction suggests that the intermediary, which Chainalysis does not identify, acts as an affiliate for both SunCrypt and for Maze, the researchers state in the blog.


Chainalysis also found evidence that suggests Maze and Egregor have both sent funds to deposit addresses at a major cryptocurrency exchange through intermediaries, indicating those groups might work with the same broker to convert cryptocurrency ransom payments into cash.

Chainalysis also has found evidence that suggests an Egregor-linked wallet has paid Doppelmaymer administrators in the past, indicating they could be possible affiliates. Firms including Sophos have determined the Egregor group relies on an affiliate strategy, helping attackers avoid detection while also forcing hackers to split up the proceeds from their attacks.

The new Chainalysis research opens up a new layer of insight into the four strains that could help malware researchers and authorities develop new ways to stop criminals behind the seemingly endless scourge of ransomware.

“While we can’t say for sure that Maze, Egregor, SunCrypt, or Doppelpaymer have the same administrators, we can say with relative certainty that some of them have affiliates in common,” the researchers note in the blog. “By going after bad actors like the money laundering service or corrupt OTC  [over-the-counter] brokers … law enforcement could significantly hamper the ability of Maze and Egregor to operate profitably without actually catching the strains’ administrators or affiliates.”

The unnamed over-the-counter broker Chainalysis suspects Maze and Egregor both use has also been used by the Doppelpaymer, WastedLocker and Netwalker groups, a possible indication that any action taken against the broker could offer a large investigative or protective payoff given its reach.


While ransomware strains have plundered schools, local governments and companies for years now, only recently have researchers begun to suggest that the pool of criminals involved is actually more concentrated.

In January, Chainalysis publishing findings indicating the number of attackers that benefit from ransomware payouts is actually likely much smaller than the number of ransomware strains.

There have been some previous indications that Maze, Egregor, SunCrypt and Doppelpaymer could be linked in some way. SunCrypt has previously claimed to be a part of Maze’s network, according to BleepingComputer. Maze and Egregor also have code similarities, according to earlier research.

Each of the strains, in addition to locking up victim systems and demanding ransom, have also exposed victim information in order to make the victims more likely to pay, a relatively newer method some ransomware actors have begun to exploit to help assure they make a buck off their efforts.

Some researchers have long believed there to be connections between ransomware strains and operations. GandCrab, for instance, announced it was going off the grid and retiring in 2019, but researchers have linked the group to a newer strain of ransomware known as Sodinokibi or REvil.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts