One case of sharing was evidenced in data from the people behind the Ragnar Locker ransomware being displayed on the Maze website (screenshot below).
The reason for this collaboration could be because it will expose the data that is leaked to a bigger audience and attract more interest from those in the cyber underground.
In a second case, the Ragnar Locker group put up data supplied by Maze on its website. This data was from the US subsidiary of the Singapore-based global defence group ST Engineering which has taken two hits from Maze this year.
Ransomware groups have rapidly adopted a new feature which now means that any attack also means a data breach.
ST Engineering data from Maze displayed on the Ragnar Locker website.
The malware has additional functionality to exfiltrate data before encrypting it on-site and generating a ransom note.
The exfiltrated data is then used to squeeze a victim, being released on the ransomware group's website in drips and drabs if the victim refuses to pay up.
After a while, the data is also posted to dark web forums frequented by cyber criminals for use as they wish.
Asked for his take on this new trend, Brett Callow, a threat analyst from Emsisoft, a New Zealand-headquartered security firm, said: "The ransomware groups probably believe that distributing stolen data via multiple leak sites will apply further pressure to companies.
"Co-operation such as this is a concerning development as it could eventually result in groups combining their expertise in order to be able to attack companies more effectively."