Discover hidden patterns and surprising affiliations among these groups, shedding light on their operations and tactics.
In a groundbreaking report titled “Clustering Attacker Behavior Reveals Hidden Patterns,” globally acclaimed cybersecurity-as-a-service provider Sophos has unveiled a web of interconnections between some of the most notable ransomware groups operating over the past year. Of particular interest is the group known as Royal, notorious for its clandestine nature. The comprehensive investigation, carried out by Sophos X-Ops over a span of three months starting from January 2023, delved into four distinct ransomware attacks. These attacks involved actors from Hive, Royal, and Black Basta, and intriguingly, unveiled striking similarities in their modus operandi.
Although Royal has gained a reputation for maintaining a closed-off stance, avoiding overt recruitment efforts on underground forums, the meticulous analysis of attack forensics has unearthed unexpected parallels across the attacks conducted by these disparate groups. The intricacies found within the forensics hint at the possibility of shared affiliates or the exchange of highly specialised technical insights among these groups.
Sophos has strategically categorised and monitored this convergence of threat activities as a cluster, empowering cybersecurity defenders to expedite their detection and response strategies. This development comes as a pivotal advancement, allowing defenders to harness a more proactive approach against ransomware attacks.
Andrew Brandt, Principal Researcher at Sophos, commented on these findings, stating, “The ransomware-as-a-service model necessitates external affiliates to execute attacks, often resulting in a degree of overlap in tactics, techniques, and procedures (TTPs) across distinct ransomware factions. However, the resemblances we’ve uncovered delve far deeper, reaching an incredibly granular level. These highly specific, idiosyncratic behaviours underscore the Royal ransomware group’s heightened reliance on affiliates, a facet that had previously eluded our understanding. The insights we’ve gained not only shed light on Royal’s affiliations but also emphasise the value of our meticulous, forensic inquiries.”
Key parallels discovered encompass the deployment of identical usernames and passwords during the infiltration of target systems, the delivery of the ultimate payload via a .7z archive named after the victim organisation, and the execution of commands within infected systems through uniform batch scripts and files.
The breakthrough in uncovering these connections emerged from Sophos X-Ops’ extensive three-month investigation into four ransomware incidents. The initial attack occurred in January 2023, involving the Hive ransomware. Subsequently, Royal orchestrated attacks in February and March of the same year, followed by Black Basta’s involvement in March. The takedown of a significant portion of Hive’s operations by the FBI towards the end of January potentially prompted displaced affiliates to seek new allegiances, potentially explaining the thematic similarities observed in subsequent ransomware attacks by groups such as Royal and Black Basta.
Elevating the significance of this discovery, Sophos X-Ops commenced tracking all four ransomware incidents as a unified cluster of threat activity.
While the pursuit of threat attribution can be vital, Sophos underscores the importance of not fixating solely on the “who” behind an attack. By focusing on specific attacker behaviours, managed detection and response teams can substantially enhance their ability to counter ongoing attacks, thereby enabling security providers to develop more robust defences for their clientele. This behaviour-based approach negates the necessity to pinpoint the attackers, ensuring that potential victims possess the requisite security measures to thwart subsequent attacks that exhibit analogous distinctive traits.