Mapping Hidden Alliances in Russian-Affiliated Ransomware

Understanding the landscape of cyber threats, particularly Russian-affiliated ransomware, is a complex and evolving challenge. The traditional model of tracking distinct, unified ransomware groups is becoming increasingly difficult. In the “post-Conti era,” ransomware has transformed into a marketplace of mutations. It’s no longer about centralized operations but rather a fractured ecosystem where allegiances shift and connections are often hidden.

In order to develop a deeper understanding and help others in the community in the process, Jon DiMaggio at Analyst1, Scylla Intel, and the DomainTools Investigations Team dove into a research project that culminated into a detailed infographic called “A Visual and Analytical Map of Russian-affiliated Ransomware Groups.” This work follows previous research DomainTools undertook in tracking ransomware families and provides a visual representation of complex connections in this space.

The goal of this project was not simply attribution or listing individual groups. Instead, we set out to map hidden connections between criminal factions, going beyond just mapping “families” to understand the intricate relationships between them. The core focus was on identifying overlaps in human operators, code fragments, infrastructure, and TTPs (Tactics, Techniques, and Procedures).

To read the complete article see: here.