A New Cluster of Threat Activity: Cybercriminals, Friends, and Allies

Background of Cyber Cluster Activity

Since the beginning of 2023, cyber threat research has revealed that several known ransomware groups are sharing Tactics Techniques and Procedures (TTPs) at a granular level. It is likely this trend is due to new ransomware-as-a-service (RaaS) groups emerging and existing groups re-branding or shutting down operations. Due to the RaaS operating model, it is not uncommon for there to be crossover in groups and the TTPs they use. However, in the instances below, the similarities in TTPs suggest that the threat actors are using the same play books. These instances have been noted as cluster activity within the cybersecurity domain. These highly specific, unique behaviors suggest that the ransomware groups are much more reliant on affiliates than previously thought. This trend highlights the complex and ever-changing nature of the cybercrime economy.

Ransomware source code is extremely complex and requires very skilled technicians to write. This has made it very difficult for threat actors with a small footprint in the cyber domain to create and carry out ransomware attacks. However, ransomware attacks provide threat actors with a quick pay day to re-invest in their operations, making the attack vector highly sought after. Therefore, large threat actors within the domain have established RaaS operations. This provides all threat actors with the ability to buy the rights to use the ransomware at a fraction of the resources it takes to create the source code. Over the past two years, major cyber threat actors have had their ransomware source code leaked, or ex-hackers have left one organization and brought source code to their new employer.

The trend of several organizations using the same granular TTPs can pose a significant threat, as these operations often enable more sophisticated and successful attacks than would be possible as separate entities. Additionally, the collaboration between threat actors also broadens the ability to target several industries. These incidents of cluster activity suggest that there is a trend toward a greater democratization of ransomware adversaries.

Cluster of Threat Actors

Hive, Royal, Black Basta

The first group of threat actors that have been sharing TTPs involve Hive, Royal, and Black Basta. In recent ransomware attacks by these groups, the same granular similarities in the forensics of the attack revealed they all used the same specific usernames and passwords to gain access to the targets systems. Additionally, all three RaaS groups delivered the .7z payload with the same executing commands with the same batch scripts and files on the infected systems.

FIN7 and Ex-Conti hackers

FIN7 and ex-Conti hackers have both been using the new Domino malware family to spread info-stealers or Cobalt Strike. The Domino malware is a new family of malware discovered in 2023, allegedly created by the FIN7 threat group. The malware leverages Domain Name System (DNS) security gaps to breach corporate systems and has two components – a backdoor, and a loader that injects an info-stealing malware dynamic-link library (DLL) into the memory of another process.

Rhysida Ransomware and Vice Society

Rhysida is a relatively new threat actor that has developed ransomware that utilizes a set of unique TTPs similar to Vice Society. Vice Society activity has recently ceased, and the group is assessed to have disappeared. This has led to speculation that these two groups have potentially merged, which would explain why the TTPs utilized were identical. Additionally, both cybercriminal groups are known to target the same industries of the education and healthcare sector.

8Base, RansomHouse, Phobos

8Base ransomware group was recently noted as using a ransom note that appeared to be a direct copy of RansomHouse’s ransom notes. Additionally, 8Base used the same language and data leaks portals that RansomHouse uses. Furthermore, a Phobos ransomware sample was discovered that used the “.8base” file extension suggesting that Phobos and 8Base are connected.

The Impact of Threat Actors Working in Clusters

Cyber threat actors working in clusters could lead to openly sharing technical expertise, coding, and reduces the timeline between updates of ransomware. Additionally, cyber threat actors could share targets information for double extortion opportunities for collaborating groups. This could cause a rapid security shift within the ransomware eco-system, making it difficult for cybersecurity experts to develop mitigation techniques.

It is critical for security providers to understand attack patterns and group TTPs to create stronger cybersecurity measures. However, cluster activity allows threat actors to hide attribution, reducing the ability for cybersecurity experts and governments to target and shut down ransomware groups. Collaboration between different cyber threat groups highlights the complex and ever-changing nature of the cybercrime economy. Organizations must remain vigilant and adopt robust security measures to mitigate the risk of being targeted by sophisticated cyber-attacks.

The Critical Start Cyber Threat Intelligence (CTI) team will continue to monitor the situation and work closely with our SOC to implement any relevant detections. For future updates, the CTI team will post via ZTAP® Bulletins and on the Critical Start Intelligence Hub.

CRITICALSTART® offers a pioneering solution to modern organizational challenges in aligning cyber protection with risk appetite through its Cyber Operations Risk & Response™ platform, award-winning Managed Detection and Response (MDR) services, and a dedicated human-led risk and security team. By providing continuous monitoring, mitigation, maturity assessments, and comprehensive threat intelligence research, they enable businesses to proactively protect critical assets with measurable ROI. Critical Start’s comprehensive approach allows organizations to achieve the highest level of cyber risk reduction for every dollar invested, aligning with their desired levels of risk tolerance.

References: