{ "id": "41afc1b5-8cc0-4aae-973e-a8fb110eec71", "created_at": "2026-04-06T00:09:26.009576Z", "updated_at": "2026-04-10T03:36:11.340113Z", "deleted_at": null, "sha1_hash": "33fbbb1536f91925f20bb908e8b4dc9b642b709e", "title": "Ransomware + Data Leak Extortion: Origins and Adversaries, Pt. 2", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 330288, "plain_text": "Ransomware + Data Leak Extortion: Origins and Adversaries, Pt.\r\n2\r\nBy The CrowdStrike Intel Team\r\nArchived: 2026-04-05 16:05:57 UTC\r\nAs data leak extortion swiftly became the new norm for big game hunting (BGH) ransomware operators since late\r\n2019, various criminal adversaries began innovating in this area. This includes collaboration between ransomware\r\ngroups, auctioning leaked data and demanding not just one ransom for the ransomware decryptor but also a\r\nsecond ransom to ensure stolen data is deleted. The first part of this two-part blog series explored the origins of\r\nransomware, BGH and extortion and introduced some of the criminal adversaries that are currently dominating the\r\ndata leak extortion ecosystem. This blog explores operators of Ako (a fork of MedusaLocker) demanding two\r\nransoms from victims, PINCHY SPIDER’s auctioning of stolen data and TWISTED SPIDER’s creation of the\r\nself-named “Maze Cartel.”\r\nTwice the Price: Ako Operators Demand Separate Ransoms\r\nIn May 2020, CrowdStrike® Intelligence observed an update to the Ako ransomware portal. Similar to many other\r\nransomware operators, the threat actors added a link to their dedicated leak site (DLS), as shown in Figure 1. What\r\nmakes this DLS interesting is an indication that the threat actors were likely issuing two ransom demands: one for\r\nthe victim to obtain the decryption key and a second to delete the exfiltrated data from the DLS.\r\nhttps://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/\r\nPage 1 of 6\n\nFigure 1. Updated Ako ransom portal\r\nOne of the threat actor posts (involving a U.S.-based engineering company) included the following comment: Got\r\nonly payment for decrypt – 350,000$ Payment for delete stolen files was not received. While it appears that the\r\nvictim paid the threat actors for the decryption key, the exfiltrated data was still published on the DLS. This\r\ninclusion of a ransom demand for the exfiltrated data is not yet commonly seen across ransomware families.\r\nGoing Once, Twice — Sold!\r\nOn June 2, 2020, CrowdStrike Intelligence observed PINCHY SPIDER introduce a new auction feature to their\r\nREvil DLS. This feature allows users to bid for leak data or purchase the data immediately for a specified “Blitz\r\nPrice.” Payments are only accepted in Monero (XMR) cryptocurrency. These auctions are listed in a specific\r\nsection of the DLS, which provides a list of available and previously expired auctions. Each auction title\r\ncorresponds to the company the data has been exfiltrated from and contains a countdown timer providing the time\r\nremaining before the auction expires (Figure 2). Once the auction expires, PINCHY SPIDER typically provides a\r\nlink to the company’s data, which can be downloaded from a public file distribution website. In order to place a\r\nbid or pay the provided Blitz Price, the bidder is required to register for a particular leak auction. When a leak\r\nauction title is clicked, it takes the bidder to a detailed page containing “Login” and “Registration” buttons, as\r\nshown in Figure 2.\r\nhttps://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/\r\nPage 2 of 6\n\nFigure 2. Detailed leak auction page\r\nThe “Login” button can be used to log in as a previously registered user, and the “Registration” button provides a\r\ngenerated username and password for the auction session. Once the bidder is authenticated for a particular auction,\r\nthe resulting page displays auction deposit amounts, starting auction price, ending auction price, an XMR address\r\nto send transactions to, a listing of transactions to that address, and the time left until the auction expires, as shown\r\nin Figure 3.\r\nFigure 3. Registered user leak auction page\r\nhttps://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/\r\nPage 3 of 6\n\nA minimum deposit needs to be made to the provided XMR address in order to make a bid. If the bidder is outbid,\r\nthen the deposit is returned to the original bidder. If the bidder wins the auction and does not deliver the full bid\r\namount, the deposit is not returned to the winning bidder. This protects PINCHY SPIDER from fraudulent bids,\r\nwhile providing confidence to legitimate bidders that they will have their money returned upon losing a bid. In\r\ntheory, PINCHY SPIDER could refrain from returning bids, but this would break the trust of bidders in the future,\r\nthus hindering this avenue as an income stream. At the time of this writing, CrowdStrike Intelligence had not\r\nobserved any of the auctions initiated by PINCHY SPIDER result in payments. If users are not willing to bid on\r\nleaked information, this business model will not suffice as an income stream. Additionally, PINCHY SPIDER’s\r\nwillingness to release the information after the auction has expired, which effectively provides the data for free,\r\nmay have a negative impact on the business model if those seeking the information are willing to have the\r\ninformation go public prior to accessing it.\r\nEnter the Labyrinth: Maze Cartel Encourages Criminal Collaboration\r\nIn June 2020, TWISTED SPIDER, the threat actor operating Maze ransomware, introduced a new twist to their\r\nransomware operations by announcing the creation of the “Maze Cartel” — a collaboration between certain\r\nransomware operators that results in victims’ exfiltrated information being hosted on multiple DLSs, as shown in\r\nFigure 4.\r\nFigure 4. Screenshot of TWISTED SPIDER’s DLS implicating the Maze Cartel\r\nhttps://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/\r\nPage 4 of 6\n\nTo date, the Maze Cartel is confirmed to consist of TWISTED SPIDER, VIKING SPIDER (the operators of\r\nRagnar Locker) and the operators of LockBit. Data-sharing activity observed by CrowdStrike Intelligence is\r\ndisplayed in Table 1.\r\nVictim\r\nRansomware Variant\r\nInvolved\r\nData Hosted By (and Date)\r\nU.S.-based engineering\r\ncompany\r\nLockBit TWISTED SPIDER (June 1)\r\nU.S.-based media and\r\nmarketing company\r\nVIKING SPIDER’s Ragnar\r\nLocker\r\nTWISTED SPIDER (June 8)\r\nU.S.-based engineering\r\ncompany\r\nTWISTED SPIDER’s Maze\r\nTWISTED SPIDER (June 5) VIKING\r\nSPIDER (June 11)\r\nTable 1. Maze Cartel data-sharing activity to date In August 2020, operators of SunCrypt ransomware claimed\r\nthey were a new addition to the Maze Cartel — the claim was refuted by TWISTED SPIDER. Duplication of a\r\nNorway-based victim’s details on both the TWISTED SPIDER DLS and SunCrypt DLS contributed to theories\r\nthe adversaries were collaborating, though the data was also available on criminal forums at the time it appeared\r\non SunCrypt’s DLS. Also in August 2020, details of two victims were duplicated on both TWISTED SPIDER’s\r\nDLS and WIZARD SPIDER’s Conti DLS, resulting in theories that WIZARD SPIDER is a new addition to the\r\nMaze Cartel. However, TWISTED SPIDER made no reference to the inclusion of WIZARD SPIDER, and the\r\nduplication is potentially the result of the victims facing two intrusions by separate ransomware actors, or data\r\nbeing sold by WIZARD SPIDER to other threat actors. The exact nature of the collaboration between Maze\r\nCartel’s members is unconfirmed; it is unknown if the actors actively participate in the same operations. Some of\r\nthe actors share similar tactics, techniques and procedures (TTPs), including an initial aversion to targeting\r\nfrontline healthcare facilities during the COVID-19 pandemic, and there are indications that adversaries are\r\nemulating successful techniques demonstrated by other members of the cartel1\r\n. The Maze Cartel creates benefits\r\nfor the adversaries involved, and potential pitfalls for victims. Less-established operators can host data on a more-established DLS, reducing the risk of the data being taken offline by a public hosting provider. TWISTED\r\nSPIDER’s reputation as a prolific ransomware operator arguably bolsters the reputation of the newer operators and\r\ncould encourage the victim to pay the ransom demand. A yet-to-be-seen but realistic threat is that victims whose\r\ndata is hosted in multiple locations could face negotiations with multiple ransomware operators, potentially\r\nincreasing the price of the ransom to ensure the data’s removal and destruction.\r\nConclusion\r\nCollaboration between eCrime operators is not uncommon — for example, WIZARD SPIDER has a historically\r\nprofitable arrangement involving the distribution of TrickBot by MUMMY SPIDER in Emotet spam campaigns.\r\nHowever, the apparent collaboration between members of the Maze Cartel is more unusual and has the potential to\r\nalter the TTPs used in the ransomware threat landscape. Collaboration between operators may also place\r\nadditional pressure on the victim to meet the ransom demand, as the stolen data has gained increased publicity and\r\nhas already been shared at least once. To date, the collaboration appears to focus on data sharing, but should the\r\ncollaboration escalate into combined or consecutive ransomware operations, then the fallout and impact on\r\nhttps://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/\r\nPage 5 of 6\n\nvictims could become significantly higher. The auctioning of victim data enables the monetization of exfiltrated\r\ndata when victims are not willing to pay ransoms, while incentivizing the original victims to pay the ransom\r\namount in order to prevent the information from going public. Double ransoms potentially increase the amount of\r\nmoney a ransomware operator can collect, but should the operators demand the ransoms separately, victims may\r\nbe more willing to pay for the deletion of data where receiving decryptors is not a concern. As eCrime adversaries\r\nseek to further monetize their efforts, these trends will likely continue, with the auctioning of data occurring\r\nregardless of whether or not the original ransom is paid. The collaboration between Maze Cartel members and the\r\nauction feature on PINCHY SPIDER’s DLS may be combined in the future. It is possible that a criminal\r\nmarketplace may be created for ransomware operators to sell or auction data, share techniques and even sell\r\naccess to victims if they don’t have the time or capability to conduct such operations. CrowdStrike Intelligence\r\nhas previously observed actors selling access to organizations on criminal underground forums. However, these\r\nadvertisements do not appear to be restricted to ransomware operations and could instead enable espionage and\r\nother nefarious activity. These evolutions in data leak extortion techniques demonstrate the drive of these criminal\r\nactors to capitalize on their capabilities and increase monetization wherever possible. The overall trend of\r\nexfiltrating, selling and outright leaking victim data will likely continue as long as organizations are willing to pay\r\nransoms. These tactics enable criminal actors to capitalize on their efforts, even when companies have procedures\r\nin place to recover their data and are able to remove the actors from their environments. Currently, the best\r\nprotection against ransomware-related data leaks is prevention. Security solutions such as the CrowdStrike\r\nFalcon®® endpoint protection platform come with many preventive features to protect against threats like those\r\noutlined in this blog series. With features that include machine learning, behavioral preventions and executable\r\nquarantining, the Falcon platform has proven to be highly effective at stopping ransomware and other common\r\ntechniques criminal organizations employ. This blog was written by CrowdStrike Intelligence analysts Zoe\r\nShewell, Josh Reynolds, Sean Wilson and Molly Lane.\r\n1. https\u003c:\u003e//news.sophos\u003c.\u003ecom/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/\r\nAdditional Resources\r\nRead the first blog in this two-part series: “Double Trouble: Ransomware with Data Leak Extortion, Part\r\n1.”\r\nDownload the CrowdStrike 2020 Global Threat Report.\r\nTo learn more about how to incorporate intelligence on threat actors into your security strategy, visit the\r\nCROWDSTRIKE FALCON® INTELLIGENCE™ Threat Intelligence page.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ and learn how true next-gen AV performs\r\nagainst today’s most sophisticated threats.\r\nSource: https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/\r\nhttps://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/" ], "report_names": [ "double-trouble-ransomware-data-leak-extortion-part-2" ], "threat_actors": [ { "id": "e8e18067-f64b-4e54-9493-6d450b7d40df", "created_at": "2022-10-25T16:07:24.515213Z", "updated_at": "2026-04-10T02:00:05.018868Z", "deleted_at": null, "main_name": "Mummy Spider", "aliases": [ "ATK 104", "Gold Crestwood", "Mummy Spider", "TA542" ], "source_name": "ETDA:Mummy Spider", "tools": [ "Emotet", "Geodo", "Heodo" ], "source_id": "ETDA", "reports": null }, { "id": "6f37e16f-64b2-4b9c-b5b4-08d0884660eb", "created_at": "2022-10-25T16:07:24.380872Z", "updated_at": "2026-04-10T02:00:04.966462Z", "deleted_at": null, "main_name": "Viking Spider", "aliases": [], "source_name": "ETDA:Viking Spider", "tools": [ "Ragnar Locker", "RagnarLocker" ], "source_id": "ETDA", "reports": null }, { "id": "8610b0d9-a6af-4010-818f-28671efc5d5e", "created_at": "2023-01-06T13:46:38.897477Z", "updated_at": "2026-04-10T02:00:03.138459Z", "deleted_at": null, "main_name": "PINCHY SPIDER", "aliases": [], "source_name": "MISPGALAXY:PINCHY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c84bbd2e-003d-4c43-8a46-d777455db2c7", "created_at": "2022-10-25T15:50:23.701006Z", "updated_at": "2026-04-10T02:00:05.378962Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [ "GOLD SOUTHFIELD", "Pinchy Spider" ], "source_name": "MITRE:GOLD SOUTHFIELD", "tools": [ "ConnectWise", "REvil" ], "source_id": "MITRE", "reports": null }, { "id": "506404b2-82fb-4b7e-b40d-57c2e9b59f40", "created_at": "2023-01-06T13:46:38.870883Z", "updated_at": "2026-04-10T02:00:03.128317Z", "deleted_at": null, "main_name": "MUMMY SPIDER", "aliases": [ "TA542", "GOLD CRESTWOOD" ], "source_name": "MISPGALAXY:MUMMY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e9f85280-337c-4321-b872-0919f8ef64a6", "created_at": "2022-10-25T16:07:24.261761Z", "updated_at": "2026-04-10T02:00:04.914455Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "Gold Village", "Maze Team", "TA2101", "Twisted Spider" ], "source_name": "ETDA:TA2101", "tools": [ "7-Zip", "Agentemis", "BokBot", "Buran", "ChaCha", "Cobalt Strike", "CobaltStrike", "Egregor", "IceID", "IcedID", "Mimikatz", "PsExec", "SharpHound", "VegaLocker", "WinSCP", "cobeacon", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "b4ec06e5-60c9-4796-9f85-129c77d1652b", "created_at": "2023-01-06T13:46:39.21956Z", "updated_at": "2026-04-10T02:00:03.249407Z", "deleted_at": null, "main_name": "VIKING SPIDER", "aliases": [], "source_name": "MISPGALAXY:VIKING SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bc119938-a79c-4e5f-9d4d-dc96835dfe2e", "created_at": "2024-06-04T02:03:07.799286Z", "updated_at": "2026-04-10T02:00:03.606456Z", "deleted_at": null, "main_name": "GOLD BLACKBURN", "aliases": [ "ITG23 ", "Periwinkle Tempest ", "Wizard Spider " ], "source_name": "Secureworks:GOLD BLACKBURN", "tools": [ "BazarLoader", "Buer Loader", "Bumblebee", "Dyre", "Team9", "TrickBot" ], "source_id": "Secureworks", "reports": null }, { "id": "9df68733-9bcd-43b1-88f1-24b110fa3d56", "created_at": "2022-10-25T16:07:24.051993Z", "updated_at": "2026-04-10T02:00:04.851037Z", "deleted_at": null, "main_name": "Pinchy Spider", "aliases": [ "G0115", "Gold Garden", "Gold Southfield", "Pinchy Spider" ], "source_name": "ETDA:Pinchy Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "GandCrab", "GrandCrab", "REvil", "Sodin", "Sodinokibi", "VIDAR", "Vidar Stealer", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8", "created_at": "2023-01-06T13:46:39.071873Z", "updated_at": "2026-04-10T02:00:03.203749Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "GOLD VILLAGE", "Storm-0216", "DEV-0216", "UNC2198", "TUNNEL SPIDER", "Maze Team", "TWISTED SPIDER" ], "source_name": "MISPGALAXY:TA2101", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ac83159-1d9d-4db4-a176-97be6b7b07c9", "created_at": "2024-06-19T02:03:08.024653Z", "updated_at": "2026-04-10T02:00:03.672512Z", "deleted_at": null, "main_name": "GOLD CRESTWOOD", "aliases": [ "Mummy Spider ", "TA542 " ], "source_name": "Secureworks:GOLD CRESTWOOD", "tools": [ "Emotet" ], "source_id": "Secureworks", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434166, "ts_updated_at": 1775792171, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/33fbbb1536f91925f20bb908e8b4dc9b642b709e.pdf", "text": "https://archive.orkl.eu/33fbbb1536f91925f20bb908e8b4dc9b642b709e.txt", "img": "https://archive.orkl.eu/33fbbb1536f91925f20bb908e8b4dc9b642b709e.jpg" } }