{ "id": "fedb33c7-d1b5-4d26-a667-e597baaf8736", "created_at": "2026-04-06T00:08:47.828043Z", "updated_at": "2026-04-10T03:33:47.746957Z", "deleted_at": null, "sha1_hash": "985c6cff8fec395a6a602f6c5bd679f8da6bce19", "title": "How Ransomware Gangs Find New Monetization Schemes and Evolve in Marketing | KELA Cyber", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1633537, "plain_text": "How Ransomware Gangs Find New Monetization Schemes and\r\nEvolve in Marketing | KELA Cyber\r\nPublished: 2020-08-25 · Archived: 2026-04-02 12:01:09 UTC\r\nBy Victoria Kivilevich\r\nEdited by KELA Cyber Team\r\nPublished August 25, 2020\r\nAn average ransomware payment now equals $178,254, which is +60% from Q1 2020. The sum has grown not\r\nonly because of the continually increasing activity of ransomware operators, but also due to their efforts in finding\r\nnew ways of monetizing their malicious activities and threatening victims. These new TTPs include:\r\nStealing data and requesting double ransoms;\r\nCollaborating with other ransomware gangs;\r\nUsing stolen data to attack other victims;\r\nSelling stolen data on auctions;\r\nNotifying media, as well as victims’ partners and clients about leaks;\r\nhttps://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/\r\nPage 1 of 12\n\nScraping credit cards.\r\n Novel tactics were adopted not only by infamous gangs such as Maze and Sodinokibi (REvil), but also by less-popular runner-ups, such as Netwalker, Ragnar Locker, Ako, and others.\r\nKELA is regularly monitoring these ransomware gangs’ blogs and observes an average of 10-20 new victims each\r\nweek – implying that the actual number of victims can be much higher since we’re only seeing the victims who\r\ndid not pay a ransom. In addition, there are those who cooperated with cybercriminals and therefore did not appear\r\nin the blogs.\r\nThe following piece will focus on how the ransomware operators diversify their schemes and implement so-called\r\n“marketing efforts,” related to threatening victims, in order to gain more profits.\r\nOne Ransom Is Not Enough\r\nDuring the year 2020, it became clear that more and more ransomware gangs prefer to steal the data before\r\nencrypting it, to use it as leverage in ransom negotiations. This activity includes outing some victims in\r\nspecially-created blogs, as recently seen being done by developers of the Avaddon ransomware or by those of\r\nDarkside – a rather new ransomware in the game.\r\nThis tactic stems from the variety of the extortion activities used by various cybercriminal groups in the past. For\r\nexample, the notorious hacking group known as The Dark Overlord (TDO) had been hacking companies and\r\nstealing their data from 2016 till 2019. TDO’s victims included Netflix, ABC, Disney, and other prominent\r\norganizations – a lot of their data was leaked or sold after the companies refused to pay a ransom. Moreover, TDO\r\nwas terrorizing US schools with various threats using a list of phone numbers for students, teachers, and school\r\nstaffers. The group stopped its activity in 2019 but the extortion never stopped.\r\nA pioneer of the naming-and-shaming tactic is the Snatch team, which manages the ransomware of the same\r\nname. In May 2019, the group went public with customer data belonging to German IT company, Citycomp,\r\nwhich further exposed data related to BT, Ericsson, Hugo Boss, and SAP. The gang created a website and released\r\nthe data when Citycomp did not succumb to blackmail; later, the group published additional breaches. Now, the\r\nSnatch gang doesn’t seem to be active in terms of intimidating the victims through their blog, but it’s still actively\r\nattacking organizations and encrypting files. However, other ransomware gangs picked up the tactic.\r\nIn November 2019, the Maze team was observed making one of the first public double extortion cases affecting\r\nAllied Universal. After the company refused to pay, the Maze team published 700 MB worth of data and files\r\nstolen from the company, as well as demanded a new ransom that was 50% higher than the original one.\r\nPer our research, ransomware gangs, that are actively continuing to leak files on their blogs (meaning that they\r\nupdated their websites at least once in the last two months), include*: \r\nAko\r\nAvaddon\r\nClop\r\nDarkside\r\nDopplepaymer\r\nhttps://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/\r\nPage 2 of 12\n\nMaze\r\nNefilim\r\nNetwalker\r\nPysa\r\nRagnar Locker\r\nSekhmet\r\nSodinokibi (REvil)\r\n On the same day when this research was published, two more ransomware gangs announced that they started their\r\nblogs – Conti and SunCrypt.\r\nThese ransomware strains include both exclusively managed ransomware and RaaS (Ransomware-as-a-Service)\r\ntype, which involves cooperating with initial access brokers for initiating attacks and affiliates for performing\r\nthem. The mentioned ransomware gangs have different targets across different sectors and utilize very different\r\nTTPs. For example, Sodinokibi uses mostly RDP compromise in conjunction with email phishing and software\r\nvulnerabilities, while Maze relies on phishing attacks as its main infection vector.\r\nSo how is all this activity connected to double ransoms? It appears that certain ransomware gangs from this\r\nlist are now asking two separate ransoms: one for decrypting the files and another one for deleting the\r\nleaked data. For example, it was mentioned when the Maze group offered discounts amid coronavirus:\r\n“Discounts are offered for both decrypting files and deleting of the leaked data.”\r\nSome other ransomware gangs specified it in their blogs. For instance, Ragnar Locker described such an offer in a\r\npost of one of the victims: “We made an offer for decryption and to delete all downloaded information without\r\nposting.” Ako also stated about one of the victims: “Got only payment for decrypt – 350,000$. Payment for delete\r\nstolen files was not received.”\r\nMaze website\r\nhttps://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/\r\nPage 3 of 12\n\nRagnar Locker website\r\nAko website\r\nThe most recent example is a case of Blackbaud, a provider of software and cloud hosting solutions. The company\r\nmanaged to stop the attack and prevent encrypting of its files, though it still had to pay ransom for deleting the\r\ndata that the ransomware operators managed to steal (it’s not clear what ransomware was used in the\r\nattack). Thus, the exfiltration of data is becoming a more profitable business model for ransomware\r\noperators, rather than just encrypting files.\r\nAs 14 ransomware gangs are now stealing data and publishing it in their blogs, we can assume that more\r\nransomware operators will adopt the tactic and will require double ransoms. Possibly, some of them, specifically\r\nsmall-scale operations, will not create their own blogs, but rather collaborate with other gangs. This way they can\r\nmake use of the stolen information and gain profit even if a victim refuses to pay; and this is the next rising trend.\r\nCollaborate and Intimidate\r\nDrug cartels are old news; instead, ransomware cartels are intending to receive more prominent attention\r\nnowadays. Again, an innovator in this field is the Maze ransomware gang which formed the “Maze cartel” to\r\npublish leaks of other ransomware groups.\r\nOn June 2, 2020, Maze announced a new collaboration between this group and the LockBit ransomware team by\r\nadding files on a new victim as “provided by LockBit” and under the label of “Maze Cartel”. This data was stolen\r\nduring the attack on international architectural firm Smith Group – an attack that had actually been performed by\r\nthe actors behind LockBit who do not maintain their own blog.\r\nhttps://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/\r\nPage 4 of 12\n\nMaze website\r\nWhen answering a request from reporters, the Maze operators confirmed that they were working with LockBit and\r\nadded that another ransomware group would be joining this cooperation in a few days. This “other” group turned\r\nout to be Ragnar Locker, first discovered in December 2019 and, among other reasons, known for its attack on the\r\nPortuguese multinational energy giant Energias de Portugal (EDP).\r\nSo, on June 8, 2020, Maze published another breach under the “Maze Cartel” label on their blog, while the\r\ninformation already appeared a month earlier on Ragnar’s blog. The leaked data belonged to marketing firm M.J.\r\nBrunner Inc, and BhiveLab – a marketing innovation lab, launched by M.J. Brunner; in addition, the same post\r\nfeatured their client SEI Investments, though it was breached separately (it will be discussed in the following\r\nsections of this post).\r\nhttps://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/\r\nPage 5 of 12\n\nMaze website\r\nMoreover, RagnarLocker and Maze proceed to exchange the data. On June 12, 2020, the RagnarLocker group\r\npublished files belonging to ST Engineering, previously breached by Maze, on its blog and stated that the leak was\r\n“provided by Maze”, making this collaboration two-sided. Specifically, the published data belonged to a\r\nsubsidiary company, called VT San Antonio Aerospace, which provides aerospace services. As Maze revealed\r\nlater, the company denied negotiations.\r\nhttps://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/\r\nPage 6 of 12\n\nRagnar Locker website\r\nIt is not known if Maze used financial motivation to attract these two ransomware gangs to its cartel. Since Ragnar\r\nLocker did not only provide the data, but also shared some of Maze’s data in its blog, we can assume that this\r\ncooperation is not about a vendor-buyer relationship, where Maze could “buy out” victims as some sort of a\r\ncollecting agency.\r\nPossible financial cooperation can be related to sharing a ransom payment if the outed victim still decides to pay\r\nto prevent further leakage of the data, intimidated by joint activities of the ransomware operators. If the ransom is\r\nnot paid, the ransomware gangs could likely share profits if they sell the stolen data on underground forums.\r\nHowever, based on the fact that these cooperation efforts were spotted over a month ago and we did not see any\r\nnew postings, we can assume that “Cartel” was just another marketing effort for ransomware gangs. It means that\r\nthreat actors behind the ransomware decided to jointly promote the leaks in order to intimidate victims,\r\nbut it is hardly possible that they collaborated in terms of further monetizing the stolen data.\r\nThis assumption is supported by the fact that there is no evidence of any actual real cooperation on the backend of\r\nthings. For example, though LockBit doesn’t have its own blog, it still maintains an independent profile on forums\r\nwhich is being used for affiliate recruitment. In its turn, Ragnar Locker’s blog is still online and was updated with\r\nthree new victims to their site without any of Maze’s help. Between Ragnar Locker and LockBit, we did not notice\r\nany signs of cooperation as well.\r\nSodinokibi, known as another experimenter in the ransomware scene (it also remains to be the most common\r\nransomware (while Maze has the second place in terms of activity), was not spotted using this tactic. Probably, it\r\nis related to the fact it does not need additional promotion of its victims since it already has a big enough name\r\nwith its GandCrab legacy. GandCrab was a ransomware operation that shut down in 2019 and was found to have\r\nmany similarities with the Sodinokibi ransomware. The Sodinokibi developers claimed they were affiliates of\r\nGandCrab and obtained the ransomware’s source code.\r\nThough threat actors behind Sodinokibi were really active at the start, spotted communicating on forums and even\r\nleaking victims’ data, they significantly cut their presence on the forums after establishing the blog. Now they\r\nonly continue to regularly recruit affiliates, though the developers are quite picky: they prioritize teams with\r\nexperience and accesses to networks.\r\nhttps://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/\r\nPage 7 of 12\n\nUser UNKN, which is considered to be Sodinokibi’s representative on a Russian-speaking underground forum, is\r\nlooking for affiliates\r\nAnother recruiting post written by Sodinokibi’s representative\r\nLike its closest (though still far behind) rival Maze, Sodinokibi also implemented new tactics. For example,\r\nrecently they were spotted in the campaign scanning the networks of victims to scrape for credit card and point of\r\nsale (PoS) software. There are two possible reasons why Sodinokibi were looking for PoS software. First, in an\r\nattempt to scrape credit card data and then to use compromised cards or sell it to other cybercriminals. Second –\r\njust for encrypting the PoS software as part of their attacks. Since this tactic is unclear and was not used by other\r\nransomware, it is hard to be considered a trend, though Sodinokibi has a bunch of tricks on which we will\r\nelaborate further. However, there is another TTP related to collaboration that needs to be explored prior to that.\r\nUsing Stolen Data to Attack Others\r\nAs was mentioned when Maze published data provided by Ragnar Locker, another company, not mentioned in the\r\noriginal post, was featured among the victims. It was SEI Investments Company, which appears to be a client of\r\nhttps://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/\r\nPage 8 of 12\n\nBHiveLab, as stated in the media: “Clients using the new practice include Mars, SEI Investments and\r\nGlaxoSmithKline.”\r\nBack at that time, it was not clear whether SEI was attacked separately, or if the Maze operators simply noticed\r\nthe company’s files in already stolen data from BHiveLab and M.J. Brunner and highlighted it as a marketing lure.\r\nHowever, after a few days, Maze clarified this victim in its “official press release”, containing recommendations\r\nto refrain from working with negotiators or decrypting files on one’s own after suffering the ransomware attack.\r\nMaze website\r\nAt the end of the press release, Maze mentioned that its member breached SEI Investments company using\r\ninformation previously stolen from BHiveLab and M.J. Brunner. This implies another vector in ransomware\r\ngangs’ cooperation and another threat to all ecosystems around breached companies.\r\nCompanies that suffer ransomware attacks must also be wary of the potential impact it has on their vendors,\r\nclients, or other partners. The related parties immediately become vulnerable to an attack as well – not just\r\nbecause of the leaked mutual data, but also because of potential compromise in the future. Maze stated it quite\r\nclearly in one of their press releases (from April 17, 2020; screenshot provided below): “We will use the\r\ninformation gotten to attack your clients and partners.”\r\nMaze website\r\nWe expect this trend growing, as ransomware gangs become more sophisticated and capable of analyzing the\r\nstolen information not just from the focus of releasing and selling data, but also with the intention of finding new\r\nhttps://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/\r\nPage 9 of 12\n\ninitial attack vectors.\r\nWe Will Auction Your Data and Notify Your Partners\r\nModern ransomware gangs do not just use cartels to intimidate victims – they also invent new threats on their\r\nown.\r\nIn June 2020, the Sodinokibi operators launched a new auction page used to sell their victims’ stolen data,\r\nimplying that victims’ partners will be interested in buying it. To participate in such an auction, a minimum\r\ndeposit of 10% from the start price is required. Also, auctioned data can be bought immediately at a “Blitz price”\r\nranging from $50,000 to $42 million.\r\nAt the moment of writing the article, 15 auctions are active on Sodinokibi’s blog and not one of them received a\r\ntop bid, leading to publishing the data of the lot. 22 auctions in total were held to date, though once again there are\r\nno top bets available.\r\nSodinokibi website\r\nSince the Sodinokibi gang still publishes the data if the auction was unsuccessful, it seems that they do not\r\nconsider these auctions as an effective way of increasing their income. Possibly, they see it as another means of\r\npressuring their victims and prompting them to pay the ransom. Thus, we do not expect other ransomware gangs\r\nto hold such auctions; however, it can be regarded as another trick in the growing list of new ways to intimidate\r\nthe victims.\r\nhttps://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/\r\nPage 10 of 12\n\nSodinokibi website where it is stated that non-sold data was published for free\r\nAs one of these methods, we can also consider how the ransomware operators are strengthening their\r\nransom requests by claiming that they will send the link to the blog to all customers, partners, investors,\r\nand other interested parties. Such a threat has been recently made by the same Sodinokibi gang in a post about a\r\nnew victim where they also addressed competitors and employees, inviting them to buy out the stolen data and sue\r\nthe company.\r\nSodinokibi’s website\r\nMaze also exhaustively stated their intentions in the aforementioned press release: they are threatening to sell\r\ncommercially valuable information on the darknet, notify media and stock exchanges about a breach and use the\r\nleaked information to attack clients and partners of victims.\r\nNew players are keeping up with raising the stakes in their threats: the developers of new Darkside ransomware\r\npromised to store leaked data for six months and send notifications of the leak to all partners and customers.\r\nhttps://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/\r\nPage 11 of 12\n\nTherefore, based on observed auctions and announcements meant to intimidate victims, we can conclude that\r\ncybercriminals went from private threats, made in the negotiations with victims via chats, to public threats,\r\nwhich involve using both darknet and open sources and can intimidate victims much more.\r\nTo sum up, all the analyzed ransomware gangs represent a new generation of cybercriminals capable of evolving\r\ntheir tactics and diversifying their activities in order to gain more profit, therefore posing a significant threat to all\r\norganizations. Thus, regular monitoring of ransomware blogs can significantly benefit organizations and help\r\nthem to reduce the risk of being attacked.\r\nSource: https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/\r\nhttps://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/" ], "report_names": [ "how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing" ], "threat_actors": [ { "id": "e9f85280-337c-4321-b872-0919f8ef64a6", "created_at": "2022-10-25T16:07:24.261761Z", "updated_at": "2026-04-10T02:00:04.914455Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "Gold Village", "Maze Team", "TA2101", "Twisted Spider" ], "source_name": "ETDA:TA2101", "tools": [ "7-Zip", "Agentemis", "BokBot", "Buran", "ChaCha", "Cobalt Strike", "CobaltStrike", "Egregor", "IceID", "IcedID", "Mimikatz", "PsExec", "SharpHound", "VegaLocker", "WinSCP", "cobeacon", "nmap" ], "source_id": "ETDA", "reports": null }, { "id": "9639c065-3fa6-432f-9cbd-5708500c4eaa", "created_at": "2022-10-25T16:07:23.255684Z", "updated_at": "2026-04-10T02:00:04.506059Z", "deleted_at": null, "main_name": "Overlord Spider", "aliases": [ "The Dark Overlord" ], "source_name": "ETDA:Overlord Spider", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "c3c864b3-fac9-4d56-8500-7c06c829fbf8", "created_at": "2023-01-06T13:46:39.071873Z", "updated_at": "2026-04-10T02:00:03.203749Z", "deleted_at": null, "main_name": "TA2101", "aliases": [ "GOLD VILLAGE", "Storm-0216", "DEV-0216", "UNC2198", "TUNNEL SPIDER", "Maze Team", "TWISTED SPIDER" ], "source_name": "MISPGALAXY:TA2101", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434127, "ts_updated_at": 1775792027, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/985c6cff8fec395a6a602f6c5bd679f8da6bce19.pdf", "text": "https://archive.orkl.eu/985c6cff8fec395a6a602f6c5bd679f8da6bce19.txt", "img": "https://archive.orkl.eu/985c6cff8fec395a6a602f6c5bd679f8da6bce19.jpg" } }