Royal, Hive, Black Basta ransomware gangs ‘collaborating on cyber attacks’
Affiliates from the now-defunct Hive ransomware group could be seeking opportunities with other major dark web players


A host of major ransomware gangs could be sharing intel and conferring over attack techniques, according to Sophos.
Researchers at the security firm analyzed connections between three of the most notorious ransomware outfits over the past year, including the Royal, Hive, and Black Basta gangs.
There were “distinct similarities” between techniques employed during four different incidents at the beginning of 2023, analysis showed, raising questions over whether the gangs have been collaborating.
“Despite Royal being a notoriously closed off group that doesn’t openly solicit affiliates from underground forums, granular similarities in the forensics of the attacks suggest all three groups are sharing either affiliates or highly specific technical details of their activities,” Sophos said.
These “unique similarities” included using the same usernames and passwords when attackers seized control of victims’ systems, the company said. These striking similarities included:
- Hive – first incident: Adm01/Adm02 | Pa$$w0rd991155 and AdminBac | P@ssW0dDP@ssW
- Royal – second incident: Adm04 | Pa$$w0rd12321 and AdminBac | P@ssW0dDP@ssW
- Black Basta – third incident: Adm066 | Pa$$w0rd11225 and WDAGUtilityAccount | P@ssw0rd123456789
In addition, similar techniques employed by all three included delivering payloads in .7z archives named specifically after the victim organization, as well as “executing commands on infected systems with the same batch scripts and files”.
RELATED RESOURCE
State of ransomware readiness 2022
Explore the business implications and personal impacts of ransomware.
Andrew Brandt, principal researcher at Sophos said traditional ransomware-as-a-service models require significant involvement from outside affiliates to conduct attacks. As such, there’s often crossover in tactics, techniques, and procedures they use.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
But the similarities here were striking, and could point to a deep degree of cross-communication, as well as the reliance on established affiliates for gangs like Royal.
“In these cases, the similarities we’re talking about are at a very granular level,” he added. “These highly specific, unique behaviors suggest that the Royal ransomware group is much more reliant on affiliates than previously thought.”
The attacks Sophos observed include a high-profile attack Hive instigated in January. The group, however, was taken down in a landmark operation conducted by the FBI and Europol later that month.
Law enforcement infiltrated Hive’s operations networks in mid-2022, with the takedown hailed as a rare occasion in which the FBI used offensive security tactics to cripple the organization.
The sting bore similarities to the joint international law enforcement takedown of the REvil ransomware gang in 2021, which prevented more than $100 million worth of ransomware payments being made, according to the FBI.
Sophos’ analysis suggested some of the corroborating techniques observed this year could point toward the use of Hive affiliates by other existing groups, specifically Royal.
“This operation could have led Hive affiliates to seek new employment – perhaps with Royal and Black Basta – which would explain the similarities in the ensuing ransomware attacks,” researchers said.

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.
-
Helping customers adopt a multi-cloud infrastructure and accelerate their modernization journey
Sponsored Content We outline what shifting to a subscription model means for your business
-
UK firms are 'sleepwalking' into smart building cyber threats
News The convergence of operational technology and IT systems is posing serious risks for property firms.
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operators
News A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attack
News A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector
-
Scattered Spider: Who are the alleged hackers behind the M&S cyber attack?
News The Scattered Spider group has been highly active in recent years
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.