Royal, Hive, Black Basta ransomware gangs ‘collaborating on cyber attacks’

A host of major ransomware gangs could be sharing intel and conferring over attack techniques, according to Sophos. 

Researchers at the security firm analyzed connections between three of the most notorious ransomware outfits over the past year, including the Royal, Hive, and Black Basta gangs. 

There were “distinct similarities” between techniques employed during four different incidents at the beginning of 2023, analysis showed, raising questions over whether the gangs have been collaborating. 

“Despite Royal being a notoriously closed off group that doesn’t openly solicit affiliates from underground forums, granular similarities in the forensics of the attacks suggest all three groups are sharing either affiliates or highly specific technical details of their activities,” Sophos said. 

These “unique similarities” included using the same usernames and passwords when attackers seized control of victims’ systems, the company said. These striking similarities included:

• Hive – first incident: Adm01/Adm02 | Pa$$w0rd991155 and AdminBac | P@ssW0dDP@ssW
• Royal – second incident: Adm04 | Pa$$w0rd12321 and AdminBac | P@ssW0dDP@ssW 
• Black Basta – third incident: Adm066 | Pa$$w0rd11225 and WDAGUtilityAccount | P@ssw0rd123456789 

In addition, similar techniques employed by all three included delivering payloads in .7z archives named specifically after the victim organization, as well as “executing commands on infected systems with the same batch scripts and files”. 

Andrew Brandt, principal researcher at Sophos said traditional ransomware-as-a-service models require significant involvement from outside affiliates to conduct attacks. As such, there’s often crossover in tactics, techniques, and procedures they use. 

But the similarities here were striking, and could point to a deep degree of cross-communication, as well as the reliance on established affiliates for gangs like Royal.

“In these cases, the similarities we’re talking about are at a very granular level,” he added. “These highly specific, unique behaviors suggest that the Royal ransomware group is much more reliant on affiliates than previously thought.”

The attacks Sophos observed include a high-profile attack Hive instigated in January. The group, however, was taken down in a landmark operation conducted by the FBI and Europol later that month. 

Law enforcement infiltrated Hive’s operations networks in mid-2022, with the takedown hailed as a rare occasion in which the FBI used offensive security tactics to cripple the organization. 

The sting bore similarities to the joint international law enforcement takedown of the REvil ransomware gang in 2021, which prevented more than $100 million worth of ransomware payments being made, according to the FBI. 

Sophos’ analysis suggested some of the corroborating techniques observed this year could point toward the use of Hive affiliates by other existing groups, specifically Royal. 

“This operation could have led Hive affiliates to seek new employment – perhaps with Royal and Black Basta – which would explain the similarities in the ensuing ransomware attacks,” researchers said.