A comprehensive analysis uncovers connections among infamous ransomware groups such as Hive, Royal, and Black Basta within the past year.
In a report titled, “Clustering Attacker Behavior Reveals Hidden Patterns,” Sophos reveals the interconnections between notorious ransomware groups like Hive, Royal, and Black Basta in the past year.
The three-month research from January 2023 uncovered striking similarities in their methods, suggesting a degree of affiliation or knowledge exchange within the Royal ransomware group, and other popular ransomware group.
Striking similarities involve:
- Using the same login credentials for system entry.
- Delivering the final payload through victim-specific .7z archives.
- Employing shared batch scripts for consistent command execution on compromised systems.
According to the report, the Royal ransomware group stands out with distinct, detailed similarities, indicating a more substantial reliance on affiliates.
Andrew Brandt, principal researcher at the security company, highlighted the significance of their findings about Royal ransomware group’s collaboration with companions and potential connections to other groups.
“These unique behaviors suggest that the Royal ransomware group is much more reliant on affiliates than previously thought. The new insights we’ve gained about Royal’s work with affiliates and possible ties to other groups speak to the value of Sophos’ in-depth, forensic investigations,” said Andrew Brandt, principal researcher,” Sophos.
The collaborative nature of Royal ransomware group
Sophos X-Ops analyzed four ransomware incidents in a comprehensive three-month investigation to uncover connections between these malicious threat actors.
The technical analysis covered the Hive ransomware group in January 2023, followed by Royal’s actions in February and March of the same year.
During this timeframe, the Black Basta ransomware group also launched its ransomware campaign in March.
Notably, the FBI’s intervention in late January 2023 significantly impacted Hive’s operations. This disruption potentially led former Hive affiliates to join forces with the Royal and Black Basta ransomware groups, explaining the striking similarities observed in subsequent attacks.
The study revealed a threat activity cluster characterized by repetitive tactics. Commonalities included reuse of files (file1.bat, file2.bat, ip.txt, gp.bat), specific usernames/passwords (Adm01/Adm02 | Pa$$w0rd991155, AdminBac | [email protected]@ssW, etc.), and creation of persistence methods through Scheduled Tasks.
Attackers leveraged Cobalt Strike beacons from public sites, deployed PowerShell commands in base64, and executed PowerShell from a duplicate named “exe.”
Moreover, the report also found the use of duplicate PowerShell.exe and the creation of a duplicate named “exe.”
The attackers behind these ransomware groups resorted to Safe Mode to thwart endpoint protection. Shared infrastructure, consistent payloads, and standard IP addresses pointed to a potential connection among various ransomware families.
Origins of famous and notorious ransomware groups
Royal ransomware
Royal ransomware group’s sophisticated approach to initial access involves skillful phishing campaigns, often employing malicious PDFs and callback phishing.
Predominantly targeting the United States (64%), they repurpose tools like Cobalt Strike, NSudo, and PsExec, mimicking regular behaviors.
The group persistently re-employees post-assault, reinfecting systems for future exploits. Royal ransomware group opportunistically exploits vulnerabilities across diverse sectors, unlike industry-focused ransomware, making their identification complex.
Hive ransomware group
The Hive ransomware group is a central affiliate-based entity that emerged in June 2021 and has since targeted diverse sectors like healthcare, nonprofits, and energy.
Operating as Ransomware-as-a-Service, the Hive ransomware group equips affiliates to launch ransomware attacks.
Tactics include phishing, VPN leaks, and exploiting vulnerabilities. They warn victims of data exposure on the ‘HiveLeaks’ TOR site if ransom demands are unmet.
Hive’s roots are linked to the decline of the Conti ransomware group, seen through shared victim leaks.
Black Basta ransomware group
Black Basta ransomware group, a ransomware-as-a-service (RaaS) actor, emerged in April 2022. Known for double-extortion tactics, it recently incorporated the Qakbot trojan and PrintNightmare exploit. Despite being new, the Black Basta ransomware group opts for targeted over widespread attacks.
Notably, they hit the big corporations with an intent to leak the data. Skilled in obtaining network credentials from underground markets, their complex approach is similar to veteran cyber criminals.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.