Delhi: Global cybersecurity company Sophos has uncovered new connections or links between three ransomware groups Hive, Royal and Black Basta. The company’s findings from its new report Clusting Attacker Behaviour Reveals Hidden Patterns have delved into the connections between the most prominent ransomware groups this past year, including Royal.
During the first three months of 2023, Sophos X-Ops investigated four different ransomware attacks, one involving Hive, two by Royal, and one by Black Basta. It noticed distinct similarities between the attacks those attacks.
Royal, a notoriously closed-off group doesn’t openly solicit affiliates from underground forums, however, granular similarities in the forensics of the attacks suggest all three groups are sharing either affiliates or highly specific technical details of their activities.
The company said it is further tracking and monitoring those attacks as a “cluster of threat activity” that defenders can use to speed up detection and response times.
“Because the ransomware-as-a-service model requires outside affiliates to carry out attacks, it’s not uncommon for there to be crossover in the tactics, techniques, and procedures (TTPs) between these different ransomware groups,” said Andrew Brandt, Principal researcher, Sophos.
“However, in these cases, the similarities we’re talking about are at a very granular level. These highly specific, unique behaviours suggest that the Royal ransomware group is much more reliant on affiliates than previously thought,” added Brandt.
“The new insights, we’ve gained about Royal’s work with affiliates and possible ties to other groups speak to the value of Sophos’ in-depth, forensic investigations,” noted Brandt.
About the unique similarities between these ransomware groups Hive, Royal and Black Basta, the Sophos’ report revealed that they are using the same specific usernames and passwords when the attackers took over systems on the targets. They are delivering the final payload in .7z archive named after the victim organisation, and executing commands on the infected systems with the same batch scripts and files.
Sophos X-Ops succeeded in uncovering these connections following a three-month-long investigation into four ransomware attacks. The first attack involved Hive ransomware in January 2023. This was followed by Royals’ attacks in February and March 2023 and, later, in March, Black Basta’s.
Following a FBI sting operation, a large portion of Hive’s operation was disbanded by the end of Jan 2023. This operation could have led Hive affiliates to seek new employment—perhaps with Royal and Black Basta—which would explain the similarities in the ensuing ransomware attacks.
Because of the similarities between these attacks, Sophos X-Ops began tracking all four ransomware incidents as a cluster of threat activity.
“Knowing highly specific attacker behaviour helps managed detection and response teams react faster to active attacks. It also helps security providers create stronger protections for customers,” observed Brandt.
“When protections are based on behaviors, it doesn’t matter who is attacking—Royal, Black Basta, or otherwise—potential victims will have the necessary security measures in place to block subsequent attacks that display some of the same distinct characteristics,” concluded Brandt.