Hacking gangs launch cybercrime syndicate the Five Families

The groups say they will work together on common targets, continuing a trend of cybercriminals teaming up to pool resources.

By Claudia Glover

Four hacking gangs and a malware forum are joining forces to form a combined ransomware collective calling themselves the Five Families. The alliance says it aims to “establish better unity and connections for everyone in the underground world of the internet”.

A leader from each individual gang will help set the agenda for the group, according to a post on Telegram today.

The Five Families describes itself as a “group created to establish better unity and connections for everyone in the underground world of the internet, to expand and grow our work and operations”. It has taken the name given to five prominent Italian-American families involved in the New York mafia in the 1950s and 1960s.

The hackers' groups ThreatSec, GhostSec, Stormous, Blackforums, and SiegedSec have come together to create a united collective called "The Five Families." Additionally, this collective has dropped hints regarding collaborative operations in the future.#CTI #ThreatIntel #Infosec… pic.twitter.com/khTV9wKaxT

The ransomware gangs involved are all well established and each has a long list of victims. SiegedSec is a hacktivism group that claims to promote a left-wing political agenda, opposing US government policies via hacking and releasing stolen documents.

In June it distributed hacked materials from agencies in six US states, in a bid to raise awareness and protest against legislation affecting gender-affirming care. The data dump included South Carolina police files, a list of therapists in Texas and contact details for court officials in Nebraska.

Last year SiegedSec claimed to leak 8GB of data stolen from two US state governments online in protest at the overturning of the Roe vs Wade decision, which guaranteed the right for women to have an abortion.

The gang has joined forces in the past with another in the collective, GhostSec, a prominent dark web hacking gang, active in targeting Russian forces throughout the war in Ukraine. According to a report into hacktivism by security vendor Mandiant, GhostSec and SiegedSec targeted operational technology assets – systems used to control and monitor industrial equipment – in the US, Israel and Russia in June 2022.

GhostSec has also been in partnership with the Arabic-speaking ransomware gang Stormous, another member of the Five Families collective. The two gangs officially announced their intentions to collaborate on Telegram on 13 July, where they declared their cooperation to target organisations in Cuba. Stormous has been active since mid-2021 and hit the media last year when it claimed to have 161GB of data from Coca-Cola, demanding 16 million Bitcoin from the global beverages company.

The last in the collective is ThreatSec, which targets banks and governments it deems to be contravening human rights, such as Iran and Azerbaijan. The four groups have been joined by the malware forum BlackForums, where ransomware data is often dumped and malware offered for sale. The forum is available on the clear web.

Hacking syndicates are nothing new in the cybercrime sphere. Recently, security analysts at Sophos linked Russian ransomware gangs BlackBasta, Hive and Royal, saying that “granular similarities” between the groups suggest all three are sharing technical details of their activities, or at least have affiliates in common.

Speaking at the BlackHat conference in Las Vegas earlier this month, Andrew Brandt, principle researcher at SophosLabs and one of the authors of the report, said: “Because the ransomware-as-a-service model requires outside affiliates to carry out attacks, it’s not uncommon for there to be crossover in the tactics, techniques and procedures between these different ransomware groups.”

Conti, another prolific Russian ransomware group, was shown to work closely with the LockBit, Maze and Ryuk groups when files showing its inner workings leaked online last year.