Sophos X-Ops has exposed a new connection between seemingly unrelated ransomware attacks.
The findings, based on several ransomware attacks in the first quarter of 2023, revolve around the concept of a “threat activity cluster,” an intricately woven tapestry of attacker behaviors.
According to a report published by Sophos at BlackHat USA today, defenders can gain invaluable insights into potential future actions by examining shared attacker behaviors during ongoing ransomware incidents.
However, the discovery of a threat activity cluster does not immediately provide the identity of the culprits, explained Sophos security experts Andrew Brandt and Matt Wixey. Instead, it acts as a crucial stepping stone toward pinpointing those responsible for the attacks.
What sets a threat activity cluster apart is its focus on intricate details that only those directly involved – attackers, victims, and defenders – can fully comprehend. This tailored approach stands in stark contrast to broader, commonplace attacker behaviors, indicating the presence of a highly sophisticated playbook guiding the attackers’ actions.
Perhaps one of the most intriguing revelations from this research is the suggestion that the elusive ransomware group, Royal, might be collaborating with external affiliates, particularly Hive and Black Basta. This notion challenges established assumptions about the group’s operational dynamics, revealing a new layer of complexity in the cyber threat landscape.
Read more about Royal: CISA Warns Against Royal Ransomware in New Advisory
The research uncovers granular similarities in attack behaviors, showcasing the close alignment between these groups in tactics, techniques and procedures (TTPs). This goes beyond the typical overlap seen in the ransomware-as-a-service model, revealing particular and unique behaviors that indicate a deep level of collaboration.
The report also demonstrated that the attackers reused identical usernames and passwords during system takeovers, delivered their final payloads in .7z archives named after victim organizations, and executed commands on compromised systems using exact batch scripts and files.
“Knowing highly specific attacker behavior helps managed detection and response teams react faster to active attacks,” explained Brandt.
“It also helps security providers create stronger protections for customers. When protections are based on behaviors, it doesn’t matter who is attacking—Royal, Black Basta, or otherwise—potential victims will have the necessary security measures in place to block subsequent attacks that display some of the same distinct characteristics.”