Cybersecurity provider Sophos has unveiled fresh insights into the interconnections among prominent ransomware factions over the past year. The company’s latest report titled “Unveiling Covert Patterns in Attacker Strategies” delves into the relationships between key players, including Royal. Spanning a three-month span commencing in January 2023, Sophos X-Ops conducted an analysis of four distinct ransomware incidents. These included an attack involving Hive ransomware, two orchestrated by the Royal faction, and another by Black Basta. Evident commonalities across these attacks prompted a closer examination, suggesting potential sharing of affiliates or intricate technical methodologies among the groups. This phenomenon has prompted Sophos to designate these incidents as a “cluster of threat activity,” offering defenders a means to enhance their detection and response capabilities.
Sophos’ Principal Researcher, Andrew Brandt, noted, “While it’s typical for various ransomware groups to share tactics, techniques, and procedures through the ransomware-as-a-service model, the level of granularity observed in these instances is striking. The highly distinct behaviors imply a stronger reliance of the Royal ransomware faction on affiliates than previously assumed.” Brandt underlined the value of in-depth investigations in gaining insights into these intricate affiliations.
The distinctive resemblances uncovered encompass the utilization of identical usernames and passwords during system infiltration, delivering the final payload via .7z archives named after the targeted organizations, and executing commands on compromised systems using identical batch scripts and files.
Sophos X-Ops embarked on this investigation after a series of ransomware attacks, beginning with the Hive ransomware incident in January 2023, followed by Royal’s exploits in February and March of the same year, and concluding with Black Basta’s activities in March. Notably, Hive encountered a significant setback in January due to a sting operation led by the FBI. This disruption potentially prompted former Hive affiliates to align themselves with Royal and Black Basta, thus accounting for the observed parallels in subsequent attacks.
Recognizing the correlations among these incidents, Sophos X-Ops has designated them as a unified cluster of threat activity.
Brandt cautioned against an overly narrow focus on the attribution of attacks, emphasizing the significance of understanding attacker behaviors to bolster defense mechanisms. “By concentrating on specific attacker patterns, managed detection and response teams can swiftly counter ongoing attacks and fortify safeguards for customers. When defense strategies are rooted in behavior-based principles, the identity of the attacker becomes less critical—be it Royal, Black Basta, or any other—enabling potential victims to thwart subsequent attacks that exhibit comparable distinct attributes,” Brandt stated.