Many ‘franchise’ deals and new partnerships have emerged in the Ransomware-as-a-Service (RaaS) industry, over the past year.
RaaS now poses itself as a huge threat to enterprise security and considered the most prolific and dangerous today. That’s to say, money is made by cybercriminals who profit from leasing out their ransomware creations. Certainly, higher ransom payments come from those larger companies as criminals demand more to decrypt their data, if a ransomware attack has been successful.
Firstly, in recent times the industry has advanced by including other roles such as malware developers, native negotiators, and Initial Access Brokers (IABs). In other words, they offer network access to a target system. And this means RaaS operations is sped up.
Secondly, there’s an additional threat called leak sites that’s now common. During this threat a ransomware group steals sensitive business information prior to encrypting systems. Payment is demanded by the cybercriminal who threatens to publish the information unless the victim pays up.
Meanwhile the overall trends for 2021 were published in a report, compiled by KELA. The statistics from the cybersecurity firm confirm that major organisations tracked as ransomware victims almost doubled 1460 to 2860. Of those that were tracked many appeared-on leak sites and negotiation platforms for ransomware.

Subsequently, of those leak sites monitored last year, 65% were managed by new people to the game. With the victims coming from developed countries like the US, Canada, Germany, Australia, Japan, and France
After that, there are sectors that are being targeted more by ransomware operators. These include Manufacturing, industrial companies, professional services, technology, engineering, and retail
But the security headache isn’t necessarily over after one incident.
As a result, many businesses are experiencing a repeated attack. For instance, Party Rental appeared on
- Avaddon’s leak site in February 2021,
- Conti allegedly claimed the same victim in September 2021.
So, both shared the data belonging to Party Rental.
The same thing happened to Amey who appeared on Mount Locker’s domain and afterwards Clop’s.
Of the around 40 organizations compromised in 2020, they were re-hit again in 2021 by a different ransomware group, according to KELA and “possible the groups used the same initial access vector.”
In other words, there could be a possibility of collaboration especially since operators of data leak sites, namely Marketo and Snatch tend to claim the same victims as many ransomware groups (Conti, Ragnar Locker, and more), the report finds.
Meanwhile in 2021 there were more than 1300 access listed by at least 300 IABs in the underground. Among those included as frequent purchasers are Russian-speaking ransomware operators who purchase access, groups such as LockBit, Avaddon, DarkSide, Conti, and BlackByte
As a result of the findings from the cybersecurity firm, it seems like “franchise” businesses are emerging. Some of course could be coincidental.
But there are some discoveries of collaboration. For example Trend Micro connected the dots between Astro Team and Xing Team. As they were allowed to use the Mount Locker brand of ransomware under their own brand names.
To clarify, each cybercriminal group maintained their own name-and-shame blogs, but the same malware was in use. Victims were duplicated, some of them at least and re-branded in Astro/Xing Team and Mount Locker disclosures. Also in 2021, 14 victim organizations were published under Quantum, Marketo, and Snatch blogs.
The researchers say that ransomware operators are collaborating with actors behind date leak sites on specific conditions, as they share stolen data. It means more money for the operators if the stolen data is sold on a leaked site. And can be more intimidating to the victim (or future victims).
“Aside from collaboration, as between ransomware groups, actors behind these data leak sites can use the same entry vector or attack the same company via different initial access.”
In 2021 some of the major ransomware players vanished and re-emerged using a different brand name. These included BlackMatter and REvil. Meanwhile to fill the gap other new groups emerged including Alphv, Hive, and AvosLocker.
When criminals start to collaborate, we can surmise things can only get worse.