Recent Attacks Suggest the Three Ransomware Groups Are Sharing Playbooks or Affiliates
Sophos’ report “Clustering Attacker Behavior Reveals Hidden Patterns” exposes connections between major ransomware groups this year, including Royal. Over three months from January 2023, Sophos X-Ops studied four attacks: one involving Hive, two Royal attacks, and one by Black Basta. Despite Royal’s secretive nature, forensic resemblances imply shared affiliates or technical specifics. Sophos tracks these as a “cluster of threat activity,” aiding faster response for defenders.
“Because the ransomware-as-a-service model requires outside affiliates to carry out attacks, it’s not uncommon for there to be crossover in the tactics, techniques, and procedures (TTPs) between these different ransomware groups. The new insights we’ve gained about Royal’s work with affiliates and possible ties to other groups speak to the value of Sophos’ in-depth, forensic investigations,”
Andrew Brandt, principal researcher, Sophos.
The unique similarities include using the same specific usernames and passwords when the attackers took over systems on the targets, delivering the final payload in .7z archive named after the victim organization, and executing commands on the infected systems with the same batch scripts and files.
Sophos X-Ops succeeded in uncovering these connections following a three-month long investigation into four ransomware attacks. The first attack involved Hive ransomware in January 2023. This was followed by Royals’ attacks in February and March 2023 and, later, in March, Black Basta’s. Near the end of January this year, a large portion of Hive’s operation was disbanded following a sting operation by the FBI. This operation could have led Hive affiliates to seek new employment—perhaps with Royal and Black Basta—which would explain the similarities in the ensuing ransomware attacks.
“While threat activity clusters can be a stepping stone to attribution, when researchers focus too much on the ‘who’ of an attack, then they can miss critical opportunities for strengthening defenses. Knowing highly specific attacker behavior helps managed detection and response teams react faster to active attacks. It also helps security providers create stronger protections for customers. When protections are based on behaviors, it doesn’t matter who is attacking—Royal, Black Basta, or otherwise—potential victims will have the necessary security measures in place to block subsequent attacks that display some of the same distinct characteristics,” said Brandt.