Recent Attacks Suggest the Three Ransomware Groups Are Sharing Playbooks or Affiliates
Sophos, a renowned global pioneer in cybersecurity innovation and service delivery, has unveiled fresh discoveries about the interconnections among prominent ransomware factions over the preceding year. This revelation comes through their report titled “Clustering Attacker Behavior Reveals Hidden Patterns,” focusing particularly on the Royal ransomware group. Spanning a three-month period commencing in January 2023, Sophos X-Ops undertook an extensive investigation into four distinct ransomware assaults: one involving Hive, two by Royal, and the other by Black Basta.
Striking parallels between these attacks were observed. Notably, even though Royal is known for its secretive nature and avoidance of soliciting affiliates through underground channels, meticulous resemblances in the forensic aspects of these incidents imply a sharing of affiliates or highly specialized technical insights across these groups. Sophos is actively monitoring and documenting these attacks as a “cluster of threat activity,” offering defenders the advantage of expediting detection and response times.
Andrew Brandt, a principal researcher at Sophos, remarked, “The ransomware-as-a-service model often entails some overlap in tactics, techniques, and procedures [TTPs] among various ransomware collectives. However, the level of granularity in these instances is quite remarkable. These exceedingly specific, distinctive behaviours suggest a heavier reliance on affiliates by the Royal ransomware group than previously perceived. The new insights we’ve garnered about Royal’s collaboration with affiliates and potential associations with other entities underscore the significance of Sophos’ comprehensive forensic inquiries.”
These distinctive resemblances encompass the utilization of identical usernames and passwords during system breaches, dispatching the ultimate payload within a .7z archive named after the targeted organization, and implementing commands on infected systems via identical batch scripts and files.
Sophos X-Ops’ diligent investigation encompassed a quarter of a year, during which they delved into four ransomware assaults. The series initiated with the Hive ransomware incident in January 2023, succeeded by Royal’s operations in February and March 2023, and subsequently, Black Basta’s activities in March. Notably, a significant portion of Hive’s operations were dismantled by the FBI towards the conclusion of January, potentially prompting Hive’s affiliates to seek alternative avenues, such as aligning with Royal and Black Basta. This scenario elucidates the parallels in subsequent ransomware attacks.
Given the striking commonalities discerned in these attacks, Sophos X-Ops commenced monitoring all four ransomware incidents as a unified cluster of threat activities.
Brandt emphasized, “Although threat activity clusters can serve as stepping stones toward attribution, excessive focus on the ‘who’ behind an attack can inadvertently overlook crucial opportunities to bolster defenses. A deep comprehension of highly specific attacker behaviours empowers managed detection and response teams to swiftly counter ongoing attacks. Furthermore, it aids security providers in crafting more potent safeguards for clients. By grounding protections in observed behaviours, the identity of the assailant—be it Royal, Black Basta, or any other—becomes immaterial; potential victims are equipped with the necessary security measures to thwart subsequent attacks displaying similar distinctive traits.”
For additional details on these ransomware incidents, refer to the article titled “Clustering Attacker Behavior Reveals Hidden Patterns,.”