Sophos released new findings into the connections between the most prominent ransomware groups in its report, “Clustering Attacker Behavior Reveals Hidden Patterns,” after a three month investigation during the first quarter of 2023.
Distinct Similarities
Sophos X-Ops detected clear parallels between four different ransomware attacks involving Hive, Black Basta, and two attacks by Royal, despite Royal being a closed off group that doesn't overtly solicit affiliates from underground forums.
The research uncovered similarities between the attacks, including the use of the same usernames and passwords and batch scripts and files to execute instructions on compromised systems. The results indicate that all three groups are either sharing affiliations or specific technical information about their attacks.
Granular level
“Because the ransomware-as-a-service model requires outside affiliates to carry out attacks, it’s not uncommon for there to be crossover in the tactics, techniques, and procedures (TTPs) between these different ransomware groups. However, in these cases, the similarities we’re talking about are at a very granular level. These highly specific, unique behaviors suggest that the Royal ransomware group is much more reliant on affiliates than previously thought. The new insights we’ve gained about Royal’s work with affiliates and possible ties to other groups speak to the value of Sophos’ in-depth, forensic investigations,” said Andrew Brandt, principal researcher, Sophos.
Brandt emphasizes the importance of understanding specific attacker behavior for response teams to respond to active attacks more quickly and for security providers to create stronger protections for customers.
“When protections are based on behaviors, it doesn’t matter who is attacking—Royal, Black Basta, or otherwise—potential victims will have the necessary security measures in place to block subsequent attacks that display some of the same distinct characteristics,” said Brandt.
