Dark Alliances: The Interconnected World of Ransomware
This blog expands on Andi Ursry’s presentation at InfoSec World 2025, “Dark Alliances: The Incestuous World of Ransomware.”
Ransomware has evolved far beyond simple cybercrime – it’s a global business ecosystem driven by trust, betrayal, and market efficiency. Modern groups like LockBit, Akira, and Clop operate as criminal enterprises, complete with playbooks, branding, and public relations strategies.
Breaking the cycle of ransomware requires more than technical tools, it demands awareness, resilience, and a willingness to disrupt these dark alliances.
From Floppy to Fortune
Ransomware is a malware that holds data or systems hostage until a ransom is paid. Victims receive a ransom note with instructions, but paying does not guarantee full recovery – fewer than 80% regain access and sometimes backups are more effective than the threat actors’ decryption tool.
Ransomware operation models vary:
- Private: payloads are kept within the core operation – such as Play Ransomware
- Semi-private: controlled affiliate programs based on reputation – such as Morpheus Ransomware.
- Ransomware-as-a-service (RaaS): infrastructure and payloads are franchised to affiliates for a share of the ransom payment, operating like a business with defined roles.
Ransomware groups may use double extortion – stealing and encrypting data – or focus on just one tactic, either encryption or data theft only.
Ransomware Origin
Ransomware has existed for nearly 40 years, starting mailed floppy disks in 1989. Key developments include:
- 2007: locking computers to block access
- 2010 – 2013: cryptocurrency adoption for anonymous payments
- 2017: nation-state groups using ransomware for espionage and destruction
- 2019: Maze popularizes double extortion and data leak sites
- 2025: the market is saturated, with many groups and overlapping affiliates.
Figure 1: Timeline of ransomware evolution
Bloodlines
Modern ransomware groups are deeply interconnected, sharing tools, tactics, and even affiliates.
LockBit: The Franchise Kingpin
LockBit began as a rebrand of ABCD Ransomware in 2019 and became the most active group by franchising its RaaS model. Despite setbacks from law enforcement (Operation Cronos) and leaks of its builder, LockBit’s tactics and code have proliferated, spawning numerous variants and copycats.
Figure 1: LockBit Ransomware lineage
LockBit was effective because it was efficient and the affiliates had trust in the core group/individual, not because it’s unique.
Akira: The Stylish Old-School Vibe
Akira launched in 2023, adopting an old-school style branding but using recycled Conti playbooks. Akira’s connections extend to MegaZord, another Akira variant, and Fog, indicating overlapping tactics and likely shared affiliates. After Conti’s internal leaks, many new groups emerged using similar methods, which reiterates the threats entering the landscape after a major operation faces something like a shutdown or internal conflict.
Figure 1: Akira Ransomware lineage
Clop: The Data Leaker that Skips the Dance
Clop stands out for exploiting zero-day vulnerabilities in file transfer software. The “UNC” groups below have been linked to FIN11, a well-known sub-group of TA505, highlighting how attribution is muddled by overlapping actors and recycled playbooks.
Figure 1: Clop Ransomware lineage
Governments go Gangster
Nation-state groups also participate in ransomware for disruption and espionage. Groups like Onyx Sleet and Lemon Sandstorm act as affiliates of well-known operations, further blurring the lines between criminal and geopolitical motives.
Copy-Paste Cartel
Analysis of the 15 most active ransomware groups (Jan 2023 – Aug 2025) reveals heavy overlap in tools, tactics, and techniques (TTPs). Most of these groups are using the same Windows native tools, off-the-shelf tools, and MITRE ATT&CK techniques for initial access, persistence, and lateral movement. The groups analyzed for this section include:
- 8Base
- Akira
- Alphv/BlackCat
- BianLian
- Clop
- Hive
- Hunters International
- INC Ransom
- LockBit
- Medusa
- Play
- Qilin
- Ransomhub
- Rhysida
- Royal/BlackSuit
Windows Native Tools
Most groups are relying on the same Windows native tools – schtasks for persistence, RDP for lateral movement, PowerShell/WMIC for execution. This type of analysis can help us find the comfort zone these groups operate in – then work to make it as uncomfortable as possible.
| Windows Native Tool | Groups |
| Schtasks | All 15 groups |
| RDP | 13 of 15 groups |
| PowerShell | 12 of 15 groups |
| WMIC | 12 of 15 groups |
| cmd | 11 of 15 groups |
| VssAdmin | 11 of 15 groups |
| net | 10 of 15 groups |
| LSASS | 9 of 15 groups |
| bcdedit | 7 of 15 groups |
| taskkill | 4 of 15 groups |
Off-the-Shelf Tools
Off-the-shelf tools are also widely shared among these groups. AnyDesk and Splashtop for persistence, PsExec and Impacket for lateral movement, Cobalt Strike for command and control (C2), Mimikatz for credential harvesting, and Rclone for exfiltration.
| Off-the-shelf Tool | Groups |
| AnyDesk | 12 of 15 groups |
| PsExec | 12 of 15 groups |
| Mimikatz | 10 of 15 groups |
| Cobalt Strike | 9 of 15 groups |
| Rclone | 9 of 15 groups |
| 7zip | 8 of 15 groups |
| Impacket | 8 of 15 groups |
| SystemBC | 7 of 15 groups |
| Advanced Port Scanner | 7 of 15 groups |
| Splashtop | 7 of 15 groups |
Vulnerabilities
Frequently exploited vulnerabilities include ZeroLogon, CVE-2018-13379, ProxyShell, and more. LockBit stands out for aggressively adopting new exploits; likely aiding in this group dominating the landscape. Most groups quickly weaponize effective vulnerabilities, even years after patches were released.
| Vulnerability | Groups |
| ZeroLogon | 6 of 15 groups |
| CVE-2018-13379 | 4 of 15 groups |
| ProxyShell | 4 of 15 groups |
| CVE-2023-27350 | 3 of 15 groups |
| CVE-2023-27532 | 3 of 15 groups |
| CVE-2023-48788 | 3 of 15 groups |
| CVE-2021-26857 | 2 of 15 groups |
| CVE-2021-26858 | 2 of 15 groups |
| CVE-2021-27065 | 2 of 15 groups |
| CVE-2023-27351 | 2 of 15 groups |
MITRE ATT&CK Techniques
Ransomware groups consistently use overlapping tactics for initial access, persistence, and lateral movement as documented by MITRE ATT&CK.
The overlap in ransomware operations is not limited to tools and vulnerabilities; there is a documented overlap in their overall behavior as well. I focused on initial access, persistence, and lateral movement when comparing behaviors.
Initial Access
Attackers typically exploit exposed services – like VPN portals, vulnerable public facing applications, or use social engineering to gain entry to a network.
Persistence
Common methods to gain persistence include scheduled tasks, modifying system processes, and setting up boot/logon autostart via registry keys. These techniques allow malware to survive reboots and maintain a foothold in a compromised network.
Lateral Movement
Once inside, threat actors rely on remote services, taint shared content, and transfer tools – using PsExec – to spread across the network. These actions allow them to blend into normal traffic by targeting shared drives or executing malicious files remotely.
Figure 1: MITRE ATT&CK overlaps in ransomware groups
Lineage Breakers
Ransomware can be intimidating, the reality is when an organization is hit, it is a big deal. Ransomware can devastate an organization; but there are things that we can do to help mitigate the threat.
Mistakes
There are some basic mistakes made across the board that can enable ransomware operators to target an organization more easily.
- Underestimating the human element in a cyberattack can lead to a compromise. Security isn’t just technical when one of the most common initial access methods is targeting your employee.
- Neglecting basic security hygiene is a major risk in the ransomware space. It’s not always possible to patch a vulnerability the day it’s announced, but when the top two targeted vulnerabilities are over five years old, they should be addressed.
- Stop using “123456” for a password – this remains the most used password in 2025.
- Assuming your organization is not a target can be an incredibly dangerous assumption. Ransomware operators are not limiting their attacks to very large enterprise organizations. Small and medium-sized businesses are just as valuable and are frequently thought to have less robust security, thus appearing as an easier target.
- Failing to create or maintain an incident response plan can lead to miscommunications, delays, and provide additional time for operators to move within your network.
- Slow detection and response can make the difference between a contained breach and a full-blown compromise. Providing these threat actors with additional time in your network allows them to maximize their impact, which gives them more leverage to demand higher ransoms and lowers the chances you can recover.
Breaking the Cycle
There is no silver bullet for fighting ransomware. Unfortunately, they aren’t vampires and wooden stakes are off the table. However, there are some disciplined basics that will help mitigate the threat and make it more difficult for ransomware operators to be successful.
- Exposed services: Reducing exposed services can cut the attack surface from the start, making entry more difficult. Forcing threat actors to change tactics during targeting can force them to make mistakes.
- MFA, VPN, Least Privilege: These can go a long way in ensuring these common tactics are either cut off or made very difficult to use.
- Backups: Maintaining backups is critical – including offline backups. Your backups should be tested – the last thing you want is to be in the middle of a ransomware response and the backups cannot be used.
- Incident Response Plan (IRP): Not only should this plan be created, but it should also be tested periodically. Ensure your departments know if they are part of this plan, they should know what their role is, what actions they should take when, and employees should know who to contact in the event of an active incident.
- Awareness: I can’t say this enough. We have all taken the October cybersecurity training, it’s probably the same one you took last year. We need year-around, real-world practice.
- Practice does not make perfection, it makes permanence, and by providing real world practice can help ensure your employee is ready to question potentially malicious emails, messages, and phone calls.
Conclusion
The takeaway is this: ransomware looks like chaos, and it can be scary, but under the surface, it’s a messy, convoluted web of shared tools, affiliates, and recycled ideas. When I say “Dark Alliances” this is what I mean. Ransomware is more than just a few shared tools, techniques, and similarly targeted vulnerabilities. It’s a shared methodology, the same playbook over and over. The logo changes, the ransom note may change, but at the core – not much has changed.
If we can recognize overlaps, defend against the common playbook, and break the cycle, the ransomware’s dark alliances become a little less invincible.
Additional Resources
- https://www.hiscox.ie/sites/ireland-new/files/2025-09/Hiscox%20Cyber%20Readiness%20Report%202025.pdf
- https://www.crowdstrike.com/en-us/resources/reports/state-of-ransomware-survey/
- https://attack.mitre.org/groups/
- https://attack.mitre.org/tactics/enterprise/
- https://blackpointcyber.com/threat-profile/akira-ransomware/
- https://blackpointcyber.com/threat-profile/clop-ransomware/