Kaspersky, the cybersecurity firm originally based in Russia, has uncovered a troubling trend where cybercriminal groups are teaming up to maximize profits by deploying two types of malicious attacks in succession. This collaborative strategy involves spreading information-stealing malware first, followed by a ransomware attack—ensuring cybercriminals receive double the ransom.
The latest discovery came from an investigation in Colombia, where a business was targeted by a cybercriminal group using RustyStealer, a type of malware designed to harvest sensitive data like login credentials, personal files, and other critical information. Once the attackers successfully extracted this data, they handed off the compromised network to another group that deployed a relatively new strain of ransomware known as Ymir.
Ymir ransomware is particularly dangerous because it remains stealthy, bypassing most anti-malware systems and gradually encrypting files over time. At present, no decryption key exists for this ransomware, making it an even more potent threat for victims.
While researchers are still working to establish a clear connection between the use of RustyStealer and the deployment of Ymir ransomware, the incident underscores a growing trend in the world of cybercrime—collaboration among hacking groups. In many cases, cybercriminals are known to share vulnerabilities and tools that can help their partners infiltrate target networks more effectively.
A similar pattern was observed in the case of the BlackCat (ALPHV) ransomware group. In 2024, BlackCat targeted healthcare provider Change Healthcare, demanding a $22 million ransom in cryptocurrency. The FBI took down the ALPHV group’s infrastructure in March 2024, disrupting their operations. However, shortly after, a new ransomware group named Ransom Hub emerged, claiming ties to the now-defunct BlackCat. Ransom Hub proceeded to demand a new ransom, threatening to leak sensitive data from Change Healthcare.
In both instances, the cybercriminals worked together in a coordinated attack—first stealing valuable information and then demanding ransom multiple times for the same data. This strategy illustrates how groups in the cybercrime world are increasingly collaborating to increase their earnings, capitalizing on their ability to compromise a target’s network in different ways.
Experts warn that this trend could become more common, as cybercriminal organizations continue to refine their tactics and pool resources to create a double-threat that is harder to defend against.