There’s Evidence That Ransomware Groups Are Forming Extortion Cartels

Last updated June 23, 2021
Written by:
Bill Toulas
Bill Toulas
Infosec Writer

Ransomware group “MountLocker” is now touting 5% of the data dump originally stolen by “Ragnar Locker” during a cyberattack against ‘Dassault Falcon.’ As the hackers claim, the listing is from one of their partners, which is a clear indication that ransomware gangs are now working in collaboration, forming extortion cartels and making the most out of their successful breaches.

We were tipped about this by researchers of KELA, the Israeli cyber-intelligence expert.

Source: KELA

KELA has previously explained how collaborations open up new monetization channels in detail, and this incident comes to confirm the assumptions. We had seen such signs before and talked about the dire possibility of having strong affiliations and co-ops in the field, amplifying an already extremely troublesome problem.

‘Dassault Falcon’ is an aircraft designer and manufacturer, engaging mainly in the business jet market. The firm employs over 12,000 people and has an annual revenue of about $2 billion. Ragnar Locker hit the company about ten days ago, claiming to have stolen about 10 GB of sensitive data and publishing screenshots of the accessed filesystem. In there, there are employee salary details, confidential agreements, billing activity reports, contacts, corporate correspondence, and non-disclosure agreements.

Ragnar Locker claimed that Dassault executives ignored the security breach and chose not to contact them and seek to negotiate. And so the leakage of documents started, with unknown results as to whether any ransom was paid or not.

Now, MountLocker is joining the party, ready to launch their own extortion and demand a new ransom amount from Dassault Falcon. Potentially, Ragnar Locker shared the dump freely, hoping to get something in return, either a cut from the ransom payment or a dump from MountLocker’s offensive activities in the future.

Whatever the case, this collaboration is not good news for companies dealing with ransomware threats. Also, it’s yet another compelling reason not to pay the ransom. If ransomware groups share the extortion levers with each other, what’s the point of paying them, and who’s going to guarantee when this racketeering process stops?



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: