Unveiling Ransomware Groups’ Hidden Patterns: Insights from Clustering Attacker Behavior

Estimated Reading Time: 3 minutes

Experts at Sophos X-Ops have uncovered a groundbreaking discovery – a series of ransomware attacks carried out by different groups that actually share uncanny similarities in their behavior. This revelation underscores the importance of analyzing attacker patterns to better defend against evolving threats.

Unmasking the Patterns

In a recent blog post by Sophos X-Ops, the spotlight is on a series of ransomware attacks that exhibit strikingly similar characteristics. This discovery revolves around what is referred to as Threat Activity Clusters (TACs). The researchers noticed recurring behaviors in various ransomware campaigns, including the deployment of ransomware families like Royal, Black Basta, and Hive. Here are the key insights from their findings:

Common File and User Naming Conventions

Perhaps one of the most intriguing findings is the consistent use of the same file names and user accounts across different incidents. The attackers repeatedly employed filenames like file1.bat, file2.bat, ip.txt, and gp.bat. Furthermore, they created user accounts with names like Adm01, Adm02, AdminBac, and more. This consistency points to a coordinated effort or shared resources among the different groups.

Persistence Through Scheduled Tasks

Persistence is a critical aspect of any successful attack, and the attackers here seem to have recognized this. They utilized identical Scheduled Task names across multiple incidents. Names like “Microsoft Update,” “Windows Update,” and variations thereof were used consistently. This pattern of persistence showcases a calculated approach towards maintaining control over the compromised systems.

Tailored Ransomware Payloads

The attackers demonstrated a unique strategy when it came to delivering ransomware payloads. Each attack involved delivering the ransomware within a password-protected .7z archive. The archive was named after the victim organization, and the ransomware binary shared the same name as the archive. This approach indicates a deliberate attempt to target specific victims, making the attacks more targeted and effective.

Uniform Cobalt Strike Beacon Retrieval

Cobalt Strike beacons are often used as a tactic for command and control communication. The attackers in these incidents sourced their Cobalt Strike beacons from public sites like Pastebin, Textbin, or even the IPFS network. This demonstrates an intricate level of coordination and strategic planning.

Varied Remote Access Tools

While the attackers displayed remarkable consistency in some aspects, they also showcased adaptability in their choice of remote access tools. They employed commercial tools such as TeamViewer, WizTree, and Citrix Enterprise Browser, enabling them to maintain a foothold within the compromised networks.

Data Staging and Exfiltration

The attackers’ approach to staging and exfiltrating data was also remarkably uniform across incidents. They employed Rclone to exfiltrate data, using the same methods and locations consistently. This behavior further solidifies the notion that these incidents are connected by a common thread.

The discovery of these hidden patterns and insights from Sophos X-Ops emphasizes the importance of studying attacker behavior at a granular level. By identifying these commonalities, defenders can develop more effective countermeasures and responses to thwart evolving threats.


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog