Grace Ene
In its report, “Clustering Attacker Behavior Reveals Hidden Patterns,” Sophos, a leader in cybersecurity innovation and as-a-service, revealed new information regarding the relationships between the most well-known ransomware groups over the course of the previous year, including Royal.
Sophos X-Ops examined four different ransomware attacks over the course of three months beginning in January 2023: one involving Hive, two by Royal, and one by Black Basta. The investigations revealed clear parallels between the attacks.
Granular similarities in the attack forensics suggest that all three groups are sharing either affiliates or extremely specific technical details of their operations, despite the fact that Royal is a notoriously secretive group that doesn’t openly solicit affiliates from underground forums.
Defenders can use the attacks’ tracking and monitoring by Sophos as a “cluster of threat activity” to accelerate detection and response times.
“Crossover in the tactics, techniques, and procedures (TTPs) between these various ransomware groups is not uncommon because the ransomware-as-a-service model necessitates outside affiliates to carry out attacks. The similarities we’re referring to in these instances, though, are extremely minute. These extremely particular, distinctive behaviors point to the Royal ransomware group’s greater dependence on affiliates than previously believed. According to Andrew Brandt, principal researcher at Sophos, “the new information we’ve learned about Royal’s work with affiliates and potential connections to other groups speaks to the value of Sophos’ in-depth, forensic investigations.
The specific usernames and passwords that the attackers used to gain access to the targets’ systems, the delivery of the final payload in a.7z archive bearing the name of the victim organization, and the execution of commands on the compromised systems using the same batch scripts and files are just a few of the peculiar similarities.
After a three-month investigation into four ransomware attacks, Sophos X-Ops was able to find these connections.
Hive ransomware was used in the initial attack in January 2023. Attacks by the Royals in February and March 2023 and then those of Black Basta in March came after this. A significant portion of Hive’s operation was disbanded near the end of January of this year as a result of an FBI sting operation. The similarities in the ensuing ransomware attacks could have been caused by this operation, which may have prompted Hive affiliates to look for new employment with Royal and Black Basta.
The four ransomware incidents were tracked by Sophos X-Ops as a cluster of threat activity because of the similarities between these attacks.
“While threat activity clusters can serve as a first step toward attribution, if researchers spend too much time figuring out who launched an attack, they risk missing crucial chances to fortify defenses. Managed detection and response teams can respond to active attacks more quickly when they are aware of highly specific attacker behavior. Additionally, it aids security providers in fortifying customer defenses. “Potential victims will have the necessary security measures in place to block follow-up attacks that display some of the same distinct characteristics when protections are based on behaviors, it doesn’t matter who is attacking—Royal, Black Basta, or anyone else,” said Brandt.
Royal ransomware is the second most common ransomware family Sophos Incident Response has encountered so far this year.
For More Stories, Click Here.
