Ransomware Gangs Are Teaming Up. Security Leaders Need to Rethink Defense.

Ransomware used to be easy to explain. An attacker broke in, deployed malware, encrypted systems, and demanded payment. 

That story no longer reflects reality. 

Today’s ransomware activity looks far more like an ecosystem than a single threat actor. Groups collaborate, specialize, and trade access. Some focus on phishing and social engineering. Others specialize in identity abuse, OAuth token theft, or cloud access. Still others handle data leaks and extortion. 

 “The lines between the groups have gotten really blurry,” said Sherri Davidoff on a recent episode of CyberSide Chats. 

This evolution has serious implications. Defending against malware alone is no longer sufficient. Modern defense must account for identity abuse, SaaS risk, and data exposure even when no encryption occurs. 

 

From Isolated Gangs to Coordinated Ecosystems 

Modern ransomware groups are no longer operating in silos. Instead, they function as loosely connected networks where different actors play specialized roles. 

Initial access brokers focus on getting a foothold through phishing, credential theft, or social engineering. That access is then sold or handed off to other groups that specialize in data exfiltration, extortion, or follow-on attacks. In many cases, no ransomware payload is ever deployed. 

This model allows attackers to scale faster and reduce operational risk. It also makes attribution and response far more difficult for defenders. 

For a broader look at how this cybercrime economy operates, see Microsoft’s Digital Defense Report, which outlines the rise of access brokers and cybercrime-as-a-service.

 

Why Data Exfiltration Is Replacing Encryption 

One of the most important shifts discussed on the podcast is the move away from encryption-based ransomware toward pure data extortion. 

Encrypting systems is complex. Attackers must deploy payloads, manage encryption keys, and maintain operational stability. Stealing data is faster, quieter, and lower risk. 

 “At this point, it’s just easier for them to steal your data and threaten to leak it,” said Matt Durrin, LMG Security’s Director of Training. 

The new ShinyHunters data leak site is a clear example of this evolution. Victims are listed publicly, stolen data is made available for download, and pressure is applied through reputational harm and privacy concerns rather than downtime. 

This trend is especially common among smaller and mid-sized organizations. The Sophos State of Ransomware report shows that data-only extortion occurs far more frequently in organizations with fewer than 250 employees. 

 

Identity Is Now the Primary Attack Path 

Across nearly every modern extortion case, identity abuse plays a central role. 

Attackers are increasingly bypassing malware and instead relying on stolen credentials, OAuth tokens, and API keys. Once they have legitimate access, they can operate quietly and persistently. 

This is why password resets often fail to stop data theft. OAuth tokens remain valid. Third-party integrations continue to function. Access persists even after credentials change. 

“Hackers don’t break in, they log in” 

– Bret Arsenault, Microsoft 

This pattern has been documented extensively in consent phishing attacks targeting SaaS platforms like Salesforce, Microsoft 365, and Google Workspace.

SaaS Platforms Are High-Value Targets 

SaaS platforms have become some of the most attractive targets in modern attacks. They often contain customer data, financial records, and operational intelligence. They also tend to have broad permissions and limited monitoring. 

The Panera Bread breach provides a clear example. Reporting linked the incident to ShinyHunters and voice phishing, with attackers gaining access through single sign-on and stealing data affecting millions of customers.

In many organizations, SaaS security lags behind endpoint and network security. OAuth permissions accumulate. Alerting for large-scale data exfiltration may be limited or nonexistent. 

During tabletop exercises at LMG Security, one of the most common gaps we see is a lack of understanding about what data actually lives in SaaS platforms. When teams cannot answer that question, effective incident response becomes nearly impossible. 

When Attackers Turn on Each Other 

 Cybercriminal groups like to project power and precision. But behind the branding and bold claims, many ransomware ecosystems are fragile, volatile, and riddled with internal conflict. 

The recent BreachForums leak is a perfect example. 

What appeared to be a dominant underground marketplace fractured from within. Internal disputes escalated, trust eroded, and the result wasn’t just drama on a hacking forum — it was a massive data spill. Hundreds of thousands of BreachForums user accounts were exposed after the forum’s database was leaked during an internal conflict. 

This wasn’t an external takedown. It was infighting. 

Further reporting suggests fractures tied to ShinyHunters and competing factions accelerated the breakdown. Alliances shifted. Access changed hands. Infrastructure was exposed. The same ecosystem that facilitates stolen data distribution became the victim of its own instability. 

And this isn’t new. 

The Conti leaks followed a similar pattern. Ideological disagreements and internal resentment led a member to dump chat logs, revealing the scale, profits, and operational structure of one of the most notorious ransomware groups in history. What looked like a cohesive enterprise unraveled because of internal fracture. 

For defenders, the lesson isn’t that criminals are disorganized. It’s that once data is stolen, it enters an ecosystem you cannot control — one that is unstable, opportunistic, and often self-destructive. 

Data doesn’t just sit in one place waiting for ransom negotiations. It moves. It gets copied. It gets traded. And sometimes, it gets leaked simply because criminals are fighting with each other. 

When internal disputes become the catalyst for exposure, traditional assumptions about containment break down. 

Once data leaves your environment, control is effectively gone. 

 

What Security Leaders Should Focus on Now 

Despite the evolving threat landscape, the most effective defensive actions remain practical. 

1. Harden identity and SaaS workflows, not just endpoints – Review help desk procedures, SSO flows, OAuth permissions, and admin access. Many recent incidents succeed without malware or exploits.
2. Train staff for voice phishing and IT impersonation – Add vishing scenarios to security awareness programs, especially for help desk and IT-adjacent roles.
3. Limit blast radius across cloud and SaaS platforms – Enforce least privilege, audit third-party integrations, and regularly review OAuth scopes and token lifetimes.
4. Plan for data extortion without ransomware – Update incident response plans and tabletop exercises to assume data theft and public exposure, even when no systems are encrypted.
5. Practice executive decision-making under data exposure pressure – Tabletop exercises should include legal, communications, and leadership discussions about public leaks, reputational risk, and extortion demands.

A Short, Practical Conclusion 

Ransomware is no longer just about malware. It is about identity, access, and data exposure. Attackers have adapted. Security programs must adapt as well. 

If you want to see how your organization would actually respond to identity-driven data extortion, SaaS compromise, or public data exposure, LMG Security’s incident response tabletop exercises are designed to test exactly these scenarios. 

Preparation remains one of the most effective security controls available.