Same threats, different ransomware – Sophos News

Sophos X-Ops, a cybersecurity company, has developed a system to track and cluster threat activity in the world of Ransomware-as-a-Service (RaaS). This system aims to determine patterns of attacker behavior, regardless of the specific ransomware variant deployed. In a recent blog post, Sophos identified a Threat Activity Cluster (TAC) that deployed various ransomware variants, such as Hive, Black Basta, and Royal ransomware, over several months. Despite the different ransomware variants, the group consistently used the same Tools, Tactics, and Procedures (TTPs) in their attacks. Sophos also highlighted a case where a ransomware affiliate group shifted from using Vice Society to Rhysida ransomware, while still maintaining consistent TTPs. The article provides an overview of six sample cases, detailing the date of ransomware deployment, victimology, observed activity, dwell time, and malware tools used. Sophos tracks this cluster of attacker behavior as TAC5279, which overlaps with Microsoft’s tracking of Vanilla Tempest. Vice Society, a prolific ransomware family, was initially used by the threat actor group, but they later pivoted to using Rhysida ransomware. The article suggests a connection between Vice Society and Rhysida based on evidence from their data leak sites. The article also details the common TTPs used by TAC5279, including initial access through compromised VPN accounts without multi-factor authentication (MFA), tools like SystemBC and PortStarter, applications like Advanced Port/IP Scanner and AnyDesk, data collection, and exploitation of vulnerabilities. Lateral movement within the network was primarily achieved through Remote Desktop Protocol (RDP) and PuTTY. The threat actors also exploited the Zerologon vulnerability to gain administrative access to Windows domain controllers. Additionally, the article mentions the use of backdoors and legitimate tooling for persistence and command-and-control (C2) purposes. The PortStarter backdoor and SystemBC were commonly observed in the intrusions. Sophos customers are protected against these activities. The article concludes by emphasizing the importance of tracking and clustering attacker behavior to better understand their tactics and protect against ransomware attacks.