While analyzing the data, we found some overlaps between the victims, whose data appeared in the leaks’ websites of more than one ransomware strain. These findings correlate with the reports about ransomware gangs teaming up to form ransomware “syndicates” or “cartels”, published in mid-2020. According to the reports, the Maze ransomware gang formed a cartel to extort victims through a shared data leak platform. Maze was detected adding to their leak site, data that was exfiltrated from a victim of the LockBit ransomware. At the time, Maze operators purportedly confirmed this collaboration and stated they will be joining forces with additional ransomware gangs. 10 It is possible that other such ransomware gangs “syndicates” have been formed, alongside the Maze cartel. + 5 victims have been targeted by multiple ransomware groups + Conti is present in 4 out of the 5 overlapping attacks + ThyssenKrupp is the most targeted victim, being attacked by 3 ransomware groups https://www.bleepingcomputer.com/news/security/ransomware-gangs-team-up-to-form-extortion-cartel/ 10. 2.2 OVERLAPPING VICTIMS + Conti + Mount Locker + NetWalker ThyssenKrupp ST Engineering Laboratoires Expanscience Ventura Orthopedics VUTEQ + Conti + Maze + Conti + Maze + Conti + DoppelPaymer + Maze + Ragnar Victim’s name Ransomware group 10 | The Ransomware Landscape