Emerging Evidence Indicates Potential Collaboration or Affiliation Among Three Ransomware Groups, as Evidenced by Recent Incidents
New Delhi, NFAPost: Leading the charge in cybersecurity innovation and service delivery, Sophos has unveiled fresh insights into the interconnections among some of the most notable ransomware groups over the past year. The findings are featured in their report titled “Clustering Attacker Behavior Reveals Hidden Patterns.” The investigation, conducted by Sophos X-Ops, delves into the activities of four distinct ransomware attacks spanning a three-month period beginning in January 2023. The incidents involved Hive, Royal (in two separate attacks), and Black Basta ransomware groups. Remarkably, the research highlights noteworthy parallels across these attacks, suggesting a potential sharing of playbooks or affiliations among these groups.
Notably, Royal is renowned for its insularity and reluctance to engage with affiliates through underground forums. However, the intricate parallels detected in the forensic details of the attacks hint at a possible exchange of affiliates or specialized technical insights. This phenomenon has prompted Sophos to identify and monitor these incidents as a “cluster of threat activity,” which offers a valuable advantage to defenders in accelerating detection and response efforts.
Andrew Brandt, Principal Researcher at Sophos, emphasized the significance of these findings, stating, “While the ransomware-as-a-service model often entails shared tactics, techniques, and procedures (TTPs), the granular similarities we’ve uncovered in these cases are particularly unique. This suggests that Royal’s reliance on affiliates might be more pronounced than previously assumed. Our comprehensive investigations highlight the importance of gaining nuanced insights into attacker behaviour.”
The specific similarities identified in the attacks include the utilization of identical usernames and passwords during system takeovers, the delivery of final payloads through .7z archives named after the victim organization, and the execution of commands using the same batch scripts and files.
The Sophos X-Ops team arrived at these interconnected discoveries following an extensive three-month inquiry into four ransomware attacks. Starting with the Hive ransomware incident in January 2023, followed by two separate Royal attacks in February and March, and a Black Basta attack in March, the investigation has unveiled intriguing patterns.
The research also points to a potential rationale for these similarities. In January of the same year, a significant portion of Hive’s operations was disrupted by an FBI operation, potentially prompting former Hive affiliates to seek new alliances, such as those with Royal and Black Basta. This shift in affiliations could explain the recurring parallels observed in subsequent ransomware attacks.
While unveiling these connections can aid in attributing attacks, Sophos maintains that the focus should be on enhancing defences. Understanding specific attacker behaviours empowers managed detection and response teams to react promptly to ongoing attacks, reinforcing security measures for potential victims. This approach ensures robust protection against attacks that exhibit similar distinct characteristics, irrespective of the attacking group.
The full scope of these findings, including the importance of tracking threat activity clusters, is detailed in the article “Clustering Attacker Behavior Reveals Hidden Patterns.”
For more information about the evolving ransomware landscape and the latest insights from Sophos, explore resources like the 2023 Threat Report, the Ransomware Threat Intelligence Center, and the Sophos X-Ops blogs.
About Sophos: Sophos is a globally recognized leader and trailblazer in advanced cybersecurity solutions. With a commitment to Managed Detection and Response (MDR) and incident response services, along with a diverse portfolio of endpoint, network, email, and cloud security technologies, Sophos empowers organizations to thwart cyberattacks. Safeguarding over 500,000 organizations and 100 million users worldwide from threats like active adversaries, ransomware, phishing, and malware, Sophos offers services and products powered by its Sophos X-Ops cross-domain threat intelligence unit. The company’s cloud-based Sophos Central management console forms a hub for its offerings, which are fortified by the comprehensive data insights of Sophos X-Ops intelligence. This holistic approach enhances the Sophos Adaptive Cybersecurity Ecosystem and enables fully-managed, turnkey security solutions. Headquartered in Oxford, U.K., Sophos collaborates with reseller partners and managed service providers (MSPs) globally. Learn more at www.sophos.com.
