Sophos, a global leader in cybersecurity innovation and services, has unveiled significant findings regarding the interconnections between prominent ransomware groups in the past year. The comprehensive report titled “Clustering Attacker Behavior Reveals Hidden Patterns” delves into the relationships between various ransomware attacks, notably involving Royal, Hive, and Black Basta.
Shared Tactics and Potential Affiliations
Over a three-month investigation from January 2023, Sophos X-Ops unearthed intriguing parallels between these attacks, indicating potential sharing of affiliates or intricate technical aspects among these groups. This revelation aids in tracking and monitoring these attacks as a cohesive “cluster of threat activity,” enhancing detection and response capabilities.
Andrew Brandt, Principal Researcher at Sophos, said, “Because the ransomware-as-a-service model requires outside affiliates to carry out attacks, it’s not uncommon for there to be crossover in the tactics, techniques, and procedures (TTPs) between these different ransomware groups.
However, in these cases, the similarities we’re talking about are at a very granular level. These highly specific, unique behaviors suggest that the Royal ransomware group is much more reliant on affiliates than previously thought. The new insights we’ve gained about Royal’s work with affiliates and possible ties to other groups speak to the value of Sophos’ in-depth, forensic investigations.”
Unveiling Key Parallels in Attack Methods
Key revelations include the utilization of identical specific usernames and passwords during system takeover, the delivery of the final payload in .7z archive named after the victim organization, and consistent execution of commands using identical batch scripts and files on infected systems.
Investigation Timeline and Context
The investigation by Sophos X-Ops spanned four distinct ransomware attacks. The timeline included a Hive ransomware attack in January 2023, succeeded by Royal’s assaults in February and March of the same year, and eventually a Black Basta attack in March.
The context becomes more significant considering that Hive’s operations were significantly disrupted by an FBI sting operation in January, potentially leading Hive affiliates to seek alternative affiliations, such as Royal and Black Basta, thus explaining the notable similarities observed in subsequent ransomware attacks.
A Coordinated Approach: Cluster of Threat Activity
This discovery prompted Sophos X-Ops to classify these four ransomware incidents as a coordinated “cluster of threat activity.” This approach underscores the importance of identifying specific attacker behaviors to enhance response times and security measures, irrespective of the originating group.
“Knowing highly specific attacker behavior helps managed detection and response teams react faster to active attacks. It also helps security providers create stronger protections for customers. When protections are based on behaviors, it doesn’t matter who is attacking—Royal, Black Basta, or otherwise—potential victims will have the necessary security measures in place to block subsequent attacks that display some of the same distinct characteristics,” concluded Brandt.
Further Insights in the Full Article
For a more comprehensive understanding of these ransomware attacks, readers can access the full article titled “Clustering Attacker Behavior Reveals Hidden Patterns.”