Black Basta, Hive and Royal ransomware gangs may share real-world connection

Three of the most prominent ransomware gangs of recent months – Black Basta, Hive and Royal – appear to share a number of distinctive characteristics that may indicate some degree of real-world connection, and even collaboration, according to researchers.

In research presented at Black Hat USA in Las Vegas, Sophos X-Ops researchers Andrew Brandt and Matt Wixey revealed previously unknown links connecting the various gangs’ modus operandi across several different attacks.

They said these “granular similarities” suggest all three either share affiliates or highly specific technical details of their activities – this in spite of Royal being notoriously closed off and apparently disinclined to collaborate with anybody, having never openly solicited affiliates to the best of the industry’s knowledge.

“Because the ransomware-as-a-service model requires outside affiliates to carry out attacks, it’s not uncommon for there to be crossover in the tactics, techniques and procedures (TTPs) between these different ransomware groups,” said Brandt.

“However, in these cases, the similarities we’re talking about are at a very granular level. These highly specific, unique behaviours suggest that the Royal ransomware group is much more reliant on affiliates than previously thought. The new insights we’ve gained about Royal’s work with affiliates and possible ties to other groups speak to the value of … in-depth, forensic investigations.”

Sophos is now tracking and monitoring the gangs’ various attacks as a cluster of threat activity in the hope it can help its customers improve their detection capabilities and bring down their response times should one of the three operations turn up on their network.

The attacks tracked by Brandt and Wixey took place between January and March 2023, during which period Hive was disrupted following a hack-back operation by the US authorities. It may be that members of this operation have jumped ship to Black Basta and Royal, which could go some way to explaining some of the similarities observed, although this is speculation.

Nevertheless, according to Sophos X-Ops, in the run-up to each of the analysed attacks, the attackers showed very specific behaviour patterns.

In each instance, they hijacked Domain Controller servers on which they set up their own admin-level accounts using identical usernames and passwords that are far too specific in their complexity to have been come up with by chance.

They went on to establish persistence mechanisms for their tooling using the same names and in the same ways, and employed identical pre-deployment batch scripts to lay the groundwork to deploy their ransomware.

When it came time to deploy their ransomware payloads, all three operations used the same methodology, dropping an archive built using the 7-Zip open source archiver and named after the targeted organisation, which was protected with the same password and deployed with the same shell command, containing an executable also named for the victim.

Explaining why these connections should matter to security teams at user organisations, Brandt said: “While threat activity clusters can be a stepping stone to attribution, when researchers focus too much on the ‘who’ of an attack they can miss critical opportunities for strengthening defences. Knowing highly specific attacker behaviour helps managed detection and response teams react faster to active attacks. It also helps security providers create stronger protections for customers.

“When protections are based on behaviours, it doesn’t matter who is attacking – Royal, Black Basta, or otherwise – potential victims will have the necessary security measures in place to block subsequent attacks that display some of the same distinct characteristics.”