Ransomware Gangs Are Joining Forces. Here’s How to Prepare.

• Threat actors are getting strategic, scaling their efforts to maximize impact (and payload) while optimizing resources.
• Groups are teaming up to execute highly coordinated attacks, outsourcing more laborious or technical work and centralizing efforts through shared resources.
• Enterprise-grade solutions can help organizations defend against enterprise-grade ransomware.

Threat actors are no longer playing solo—our enemies are becoming friends. Ransomware attackers and advanced persistent threat (APT) groups are teaming up, pooling resources and scaling operations to force-multiply their efforts against organizations. With a staggering 56% spike in active ransomware groups noted in the first half of 2024 alone, Symantec’s Threat Hunters predict that 2025 will bring even bigger operators, with smaller attack groups working for them. 

While collaboration is not new to hacker culture, this scale is unprecedented. Ransomware “cartels,” or allied groups, now function like well-oiled machines or even enterprises of their own. While the idea of hacker collaboration and camaraderie might sound almost wholesome, the reality is anything but—and it’s defenders who are now forced to rethink their strategies and level up their game.

Here are five ways we’re seeing ransomware gangs gang up:

1. The rise of ransomware cartels

In 2021, ransomware groups began forming organized cartels to tag-team highly targeted campaigns and perform double or multi-extortion. Early alliances like Wizard Spider, Twisted Spider and LockBit set the tone for this new era of formalized cybercrime. By 2022, LockBit alone was responsible for 44% of global ransomware incidents, earning its reputation as the world’s most prolific cartel that year. While LockBit and some other early, prominent cartels have been shut down, new alliances like Scattered Spider and RansomHub are still forming and are stronger than ever.

2. Outsourced dirty work

Enter Initial Access Brokers (IABs)—cybercriminals who specialize in selling access to compromised networks. Take Pioneer Kitten, an Iranian hacking group: As IABs for Ransomhouse, NoEscape and BlackCat, they provided extortion strategies and network access to organizations in the defense, education, finance and healthcare sectors. By outsourcing infiltration, larger ransomware rings can focus efforts on payload deployment and extortion.

3. The stolen data pool

Paying the ransom doesn’t always save your data. Shared data leak sites act as central repositories for stolen information, amplifying the pressure for victims to pay up. And they’re becoming even more popular, with the number of new data leak platforms doubling in 2024 compared to 2023. For victims, this feels like a lose-lose scenario: pay the ransom and hope for the best, or risk sensitive data going public.

4. Ransomware, Inc. 

Cybercrime has gone corporate. With R&D teams, profit-sharing models and affiliate recruitment, today’s ransomware cartels operate like enterprises. Years ago, a typical ransomware attack involved a single actor hacking into networks, encrypting files and demanding payment. Now, attacks have evolved into a sophisticated supply chain: one group gains access, another exfiltrates data and yet another specializes in encryption.

The proliferation of Ransomware-as-a-Service (RaaS) has further professionalized these operations. The top five ransomware groups of the first half of 2024—all RaaS organizations— “lease” their ransomware to affiliates and collect a cut of the profits. The Symantec Threat Hunter team predicts we’ll see more of these organizations vying for top-tier affiliates by offering better terms and higher payouts—just like recruitment battles in legitimate industries. This corporate-style evolution is raising the stakes for defenders and creating a ransomware economy that’s more scalable, competitive and dangerous than ever.

5. Low barrier to entry for script kiddies

High-end attackers may be growing more sophisticated, but GenAI is giving amateur coders a leg up to join the ranks. These “script kiddies” are using AI as a how-to for malware code drafts, guidance and next steps. Just look at FunkSec, a newbie RaaS group that reportedly uses AI-assisted codes and techniques to punch above their weight. Meanwhile, some Chinese and Iranian groups are leveraging ChatGPT to develop malware, spread misinformation, evade detection and launch phishing campaigns. 

The democratization of cybercrime means even low-skill actors can launch highly advanced attacks, driving a greater need for adaptive security measures and robust, proactive defenses.

What you can do about it

Ransomware cartels aren’t the only ones who can collaborate. Stopping ransomware requires a united front—your IT team, leadership, employees and trusted security allies. It also means deploying enterprise-grade solutions to combat this rising threat level, no matter the size of your organization.

In addition to regular employee training, employ these best practices and solutions across your organization:

• Unify visibility across endpoints, networks, workloads and users with Endpoint Detection and Response (EDR)
• Prevent sophisticated LotL attacks with adaptive network protection
• Stop lateral movement with Zero Trust Network Access (ZTNA)
• Protect your data with top class Data Loss Prevention (DLP)
• Safeguard network access with a Secure Web Gateway (SWG) that provides browser isolation and policy control
• Identify and respond to evolving threats across all your endpoints using an Intrusion Prevention System (IPS)
• Employ enterprise-grade global threat intelligence
• Stay informed with the latest updates and protections

Ransomware groups have elevated their game with alliances, shared platforms and corporate-level efficiency—but so can defenders. With legendary solutions, trusted partners and proven strategies, enterprise-grade security is no longer a luxury—it’s possible for all. 

See how ransomware is shaping up for 2025. Read your copy of Ransomware 2025: A Resilient and Persistent Threat, the latest report from the Symantec and Carbon Black Threat Hunter Team.