Das Blockchain-Analyse-Unternehmen Chainalysis verdeutlich über die Analyse von Krypto-Transaktionen, wie sehr kriminelle Gruppierungen über Krypto-Adressen und -Broker miteinander verbunden sind.
Chainalysis kann dabei jedoch nicht mit Sicherheit sagen, ob Maze, Egregor, SunCrypt oder Doppelpaymer die gleichen Administratoren bzw. Drahtzieher haben. Unabhängig von der Tiefe und Art dieser Verbindungen deuten die Hinweise jedoch darauf hin, dass weit weniger kriminelle Gruppierungen aktiv sind, als die Anzahl der Versionen von Ransomware vermuten lassen würde:
In fact, new research suggests that digital extortion specialists are more closely connected than they may appear. Researchers at Chainalysis, a software firm that works with law enfocement agencies, on Thursday said they have found connections that suggest collaboration between hackers who have used the Maze, Egregor, SunCrypt and DoppelPaymer hacking tools. Each of these groups operate as ransomware-as-a-service, meaning they lease access to their malware to affiliates who then run ransomware attacks, which can make attribution trickier. When tracking some recent ransom payments to the Maze gang through a series of intermediaries, researchers determined that Maze was sharing some of the payout with a suspected SunCrypt cutout, according to a blog on the research, which was published Thursday. Maze has been tied to attacks against victims including Canon and Xerox, often publishing stolen data if victims refused to pay. [...] Chainalysis also found evidence that suggests Maze and Egregor have both sent funds to deposit addresses at a major cryptocurrency exchange through intermediaries, indicating those groups might work with the same broker to convert cryptocurrency ransom payments into cash. Chainalysis also has found evidence that suggests an Egregor-linked wallet has paid Doppelmaymer administrators in the past, indicating they could be possible affiliates. Firms including Sophos have determined the Egregor group relies on an affiliate strategy, helping attackers avoid detection while also forcing hackers to split up the proceeds from their attacks.