A collection of very specific behaviors, observed by Sophos X-Ops incident response analysts in the lead-up to four separate ransomware attacks in the first quarter of 2023, indicates an unexpected connection between the attacks.
In the parlance of the Managed Detection and Response (MDR) team, the peculiarly similar details constitute a threat activity cluster that Sophos can track. The Sophos MDR team performed postmortem investigations at the request of the targets. The attacks we examined targeted disparate businesses and geographies where they operate, and involved different ransomware groups.
Why this matters
Knowing who is doing the attacking while a ransomware attack is taking place, and their usual behavior, can give a defender valuable insight into what the attacker might do next.
A threat activity cluster isn’t an attribution, but is a stepping stone to making an attribution to who might be behind an attack.
Threat activity clusters don’t necessarily include the more common aspects of attacker behavior; Rather, these include very narrowly-focused details that are not apparent to anyone other than the target and their defender(s), and would be hard for someone who isn’t the attacker (or who isn’t following a detailed attacker playbook) to replicate.
The criminals who operate Royal ransomware reputedly don’t publicly solicit affiliates to work with them. The threat activity cluster indicates that this secretive group may actually be working with outside affiliates, and may be recruiting elsewhere.
This threat activity cluster has already borne fruit, linking these attacks to a Cactus ransomware attack reported by Kroll.
A step towards attribution
Ransomware-deploying threat actors do have a tendency to reuse a lot of the same tools, techniques, and procedures; Some ransomware groups have even created playbooks for their affiliates to follow. For example, many of them deploy Cobalt Strike beacons as a form of remote access to the target’s network, or may perform brute-force attacks against Remote Desktop as a way to laterally move within a target’s network. Many also target an organization’s Domain Controller servers as a way to take control of other machines on the network.
But these are broad strokes; the behavioral details in this threat activity cluster are far more narrowly focused.
In the run-up to each ransomware attack, logs and records collected by Sophos MDR show very specific patterns of behavior:
the attackers created their own administrator-level accounts on hijacked Domain Controller servers using the same usernames and complex passwords too specific to have been random chance
installed persistence mechanisms for their tooling with the same names, and in the same ways
employed identical pre-deployment batch scripts to lay the groundwork for the ransomware deployment
deployed the final ransomware payload using the same paradigm: Dropping a .7z archive, named after the organization that was being targeted, that contained an executable also named after the targeted organization. The .7z archive was password-protected with the same password, and deployed with the same shell command.
What made the threat activity cluster all the more interesting to Sophos MDR is that, among the ransomware deployed during the attacks, two of the attacks involved ransomware known as Royal – a notoriously closed-off group of ransomware developers and attackers who, reputedly, do not solicit outsider “affiliate” attackers to work with them on cybercrime forums.
The Royal ransomware ransom note. The redacted line is an alphanumeric string, unique to each victim, which is also used as a command-line parameter for the ransomware binary. A similar technique was used by the Hive ransomware gang.
While a threat activity cluster is not the same thing as an attribution, it could eventually lead to an attribution, given enough high-confidence evidence. Observing the same behaviors does not necessarily mean that these attacks were all carried out by the same individuals. Rather, it seems like the attackers in these cases followed a playbook curiously similar to one another. A fifth attack, involving yet another different ransomware payload, analyzed by the company Kroll, also appears to share the characteristics of this threat activity cluster.
A closer analysis of six attacks involving Royal ransomware showed that the threat activity cluster characteristics lined up in two of the attacks.
Repeat use of the same files, passwords, and names
Sophos drew the threat activity cluster connection by studying the details of attacks against four targets, involving three ransomware families, over the course of three months.
Of the ransomware that was deployed in the incidents – Royal, Black Basta, and Hive – two of the ransom groups publicly disclose that they use affiliates, while Royal reportedly does not advertise on crimeware forums, soliciting affiliates to work with them, as the others do.
The threat activity cluster is based on specific behaviors and tooling, including:
the use of the same batch scripts and files: file1.bat, file2.bat, ip.txt, and gp.bat
file1.bat: a batch file designed to set up the system with autologon as the newly-created administrative user AdminBac, reboot into Safe Mode (several ransomware groups leverage Safe Mode, because real-time detection and protection products are typically disabled in that environment), and execute File2.bat
file2bat: a second batch file, executed in Safe Mode via a registry key, designed to unpack the ransomware binary from the encrypted archive (using a bundled copy of 7-Zip), execute it, and wait for it to finish encrypting files before rebooting the affected computer back into normal mode.
ip.txt (sometimes ip1.txt): a list of hostnames on a given internal domain, generated using a widely-abused, legitimate tool called Advanced Port Scanner.
gp.bat executes file1.bat by forcing a Group Policy update
When the attackers take over a Domain Controller or other system, they create one or more rogue user accounts with administrative privileges, with specific usernames and passwords, adding them to the local adminstrators group using net.exe and directly modifying Registry entries to remove restrictions.
Adm01/Adm02 P@ssW0dDP@ssW (second incident, Royal)