Cybersecurity analysts have typically dissected ransomware attacks in isolation, scrutinizing the tactics, techniques, and procedures (TTPs) unique to each incident. However, new Sophos research shows why it is critical for defenders to look beyond the surface as attacks executed by different threat groups often display noteworthy similarities.
These so-called ransomware threat clusters offer insights into overarching patterns and shared characteristics among attacks that can be used to better prepare and defend against ransomware exploits in the future, say researchers.
The study, titled “Clustering Attacker Behavior Reveals Hidden Patterns,” looks at patterns over three months from January to March 2023. The Sophos X-Ops team investigated four distinct ransomware attacks involving Hive, two instances linked to Royal, and one attributed to Black Basta.
The Royal ransomware group, known for being particularly guarded and for avoiding public solicitation for affiliates on underground forums, revealed a surprising degree of uniformity with other ransomware variants, according to researchers. The findings indicate that all three groups, Hive, Royal, and Black Basta, are either collaborating with the same affiliates or sharing specific technical insights about their operations. Sophos classified these coordinated efforts as a “cluster of threat activity,” a concept that offers security teams insights for building detection and response strategies.
Discovering the common thread in ransomware
How can security teams gather this kind of threat cluster information for their own internal ransomware defense strategy? To identify and understand these ransomware threat clusters, Sophos’ researchers suggest teams use the following data-driven approach steps to identify patterns, including:
- Data aggregation: Gather and analyze threat intelligence data, including indicators of compromise (IoCs), malware signatures, attack vectors, and behavioral patterns.
- Pattern recognition: Use advanced analytics and machine learning to uncover patterns of recurring TTPs, such as initial access methods, lateral movement techniques, and data exfiltration strategies.
- Attribution and grouping: Link ransomware attacks that exhibit common characteristics. This might involve associating attacks with specific threat actor groups or identifying shared infrastructure, tools, or malware variants.
- Temporal analysis: Scrutinize the timeline of ransomware attacks to discern patterns in their execution. This could reveal coordinated campaigns or seasonal fluctuations in attack activity.
Using the details for defense
Understanding threat clusters can reshape how organizations and security pros approach defense against ransomware attacks. Armed with a deeper understanding of the commonalities that bind ransomware attacks within clusters, security experts can craft more proactive strategies to prepare for the potential for ransomware. Understanding highly specific attacker behaviors can help speed response by managed detection and response (MDR) teams when faced with an attack, and can also help security providers better protect their customers.
By building defense mechanisms rooted in behavioral patterns, the identity of the attacker becomes inconsequential–be it Royal, Black Basta, or any other threat actor. What truly matters is that potential victims have the essential security measures in position to thwart future attacks that display these commonly-shared characteristics. Read more about the research and findings in the article “Clustering Attacker Behavior Reveals Hidden Patterns” from Sophos.