Cybersecurity analysts have traditionally studied ransomware attacks individually, focusing on the unique tactics, techniques, and procedures (TTPs) employed in each incident. However, new research from Sophos sheds light on the importance of looking beyond the surface, as attacks carried out by different threat groups often exhibit notable similarities.
These clusters of ransomware threats provide insights into overarching patterns and shared characteristics among attacks, which can be used to better prepare and defend against future ransomware exploits. The study, titled “Clustering Attacker Behavior Reveals Hidden Patterns,” examines patterns observed over a three-month period from January to March 2023. The Sophos X-Ops team investigated four distinct ransomware attacks, two involving Hive, two linked to Royal, and one attributed to Black Basta.
Notably, the Royal ransomware group, known for its guarded nature and avoidance of public solicitation for affiliates on underground forums, displayed surprising similarities with other ransomware variants. This suggests that Hive, Royal, and Black Basta are either collaborating with the same affiliates or sharing technical insights about their operations. Sophos refers to these coordinated efforts as a “cluster of threat activity,” which provides valuable information for security teams to build effective detection and response strategies.
To leverage this threat cluster information for internal ransomware defense strategies, security teams can follow a data-driven approach. Sophos researchers recommend the following steps:
1. Data aggregation: Gather and analyze threat intelligence data, including indicators of compromise (IoCs), malware signatures, attack vectors, and behavioral patterns.
2. Pattern recognition: Utilize advanced analytics and machine learning to identify recurring TTPs, such as initial access methods, lateral movement techniques, and data exfiltration strategies.
3. Attribution and grouping: Associate ransomware attacks that exhibit common characteristics, such as specific threat actor groups, shared infrastructure, tools, or malware variants.
4. Temporal analysis: Scrutinize the timeline of ransomware attacks to identify patterns in their execution, such as coordinated campaigns or seasonal fluctuations in attack activity.
Understanding these threat clusters can reshape organizations’ and security professionals’ approach to defending against ransomware attacks. With a deeper understanding of the commonalities that bind ransomware attacks within clusters, security experts can develop more proactive strategies to mitigate the risk of potential ransomware incidents. Moreover, by comprehending highly specific attacker behaviors, managed detection and response (MDR) teams can rapidly respond to attacks and security providers can enhance protection for their customers.
By establishing defense mechanisms based on behavioral patterns, the identity of the attacker becomes less relevant. Whether it’s Royal, Black Basta, or any other threat actor, what truly matters is ensuring that potential victims have the necessary security measures in place to thwart future attacks that exhibit these commonly-shared characteristics. For more information on this research and its findings, refer to the article “Clustering Attacker Behavior Reveals Hidden Patterns” published by Sophos.