Sophos, a global leader in innovating and delivering Cybersecurity-as-a-Service, has released new findings into the connections between the most prominent ransomware groups this past year, including Royal, in its report, Clustering Attacker Behavior Reveals Hidden Patterns.
Over the course of three months beginning in January 2023, Sophos X-Ops investigated four different ransomware attacks – one involving Hive, two by Royal and one by Black Basta – and noticed distinct similarities between the attacks. Despite Royal being a notoriously closed-off group that doesn’t openly solicit affiliates from underground forums, granular similarities in the forensics of the attacks suggest all three groups are sharing either affiliates or highly specific technical details of their activities. Sophos is tracking and monitoring the attacks as a ‘cluster of threat activity’ that defenders can use to speed up detection and response times.
“Because the Ransomware-as-a-Service model requires outside affiliates to carry out attacks, it’s not uncommon for there to be crossover in the tactics, techniques and procedures (TTPs) between these different ransomware groups,” said Andrew Brandt, Principal Researcher, Sophos.
“However, in these cases, the similarities we’re talking about are at a very granular level. These highly specific, unique behaviours suggest that the Royal ransomware group is much more reliant on affiliates than previously thought. The new insights we’ve gained about Royal’s work with affiliates and possible ties to other groups speak to the value of Sophos’ in-depth, forensic investigations.”
