Researchers Expose Hidden Alliances Between Ransomware Groups

In the rapidly evolving cyber threat landscape, understanding the true nature of ransomware operations has become increasingly complex. Gone are the days when security teams could treat each ransomware family as a discrete, unified entity.

The “post-Conti era” has ushered in a fractured marketplace of mutations, in which allegiances shift, identities blur, and hidden connections underpin the entire ecosystem.

A new collaborative research effort led by Jon DiMaggio at Analyst1, in partnership with Scylla Intel and the DomainTools Investigations Team, culminates in an illuminating infographic titled “A Visual and Analytical Map of Russian-affiliated Ransomware Groups.”

Rather than simply cataloguing individual groups, the project reveals the intricate web of relationships—spanning shared code, infrastructure overlaps, and human operator migration—that drives modern ransomware operations.

The core objective of this research was to move beyond attribution of isolated ransomware “families” and instead chart the hidden connections that bind criminal factions.

Employing a “spider-out” incremental investigation, analysts began with established groups such as Conti, LockBit, and Evil Corp, then followed threads of similarity to lesser-known actors.

Data sources ranged from open-source intelligence and historic infrastructure records to proprietary threat feeds and human intelligence.

By cross-referencing overlapping IP addresses, passive DNS records, shared TLS certificates, and common delivery vectors, the team identified instances of resource pooling and affiliate-level reuse.

Code analysis further revealed fragments shared between Black Basta and Qakbot, as well as the continued use of legacy Trickbot infrastructure.

The prevalence of tools such as AnyDesk and Quick Assist underscored common training or operator playbooks, suggesting a degree of standardization across seemingly disparate groups.

The resulting infographic provides a comprehensive visual representation of these infrastructure and technical overlaps.

Human Capital and Operator Drift

Perhaps the most striking dimension of the research is the visualization of human overlap and operator drift. Security practitioners often assume that malware strains define a group’s identity, but the infographic dispels this notion by spotlighting individual actors who migrate between ecosystems.

For instance, the actor known as “Wazawaka” has ties to REvil, Babuk, LockBit, Hive, and Conti, while “Bassterlord” transitioned from REvil to Avaddon, then LockBit, and finally Hive.

These migrations demonstrate that human capital—the skills and relationships of individual operators—is the primary asset in ransomware operations.

Brand allegiances prove tenuous: operators adapt to market conditions, reorganize in response to law enforcement pressure, and rely on trusted contacts rather than group names.

Rebranding, in this context, emerges not as a disguise but as a strategic pivot—enabled by the mobility of operators who carry expertise and capabilities across multiple outfits.

The infographic’s revelations hold profound implications for defenders and policymakers alike. First, code reuse or infrastructure sharing does not equate to declarative group identity; assumptions of singular attribution risk overlooking collaboration and convergence among actors.

By illuminating the hidden alliances and overlaps that underpin Russian-affiliated ransomware, this research offers a new framework for threat intelligence.

Second, group labeling is increasingly obsolete; a more effective lens focuses on clusters of activity—shared TTPs, infrastructure fingerprints, and human networks—rather than on monolithic group names.

Finally, understanding the modular nature of ransomware operations is critical for crafting disruption strategies.

As factions specialize in roles such as negotiation, development, or infrastructure management, they operate like components in a marketplace, reassembling in new configurations as conditions change.

Sanctions evasion tactics, such as Evil Corp’s repeated rebranding coupled with persistent infrastructure reuse, underscore the endurance of capabilities despite nominal changes.

Security teams must evolve their tracking methodologies, prioritizing stable infrastructure artifacts and human network analysis over transient brand names.

The full infographic, available through DomainTools Investigations, serves as both a visual guide and a strategic roadmap for understanding and countering these dynamic criminal ecosystems.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.