Royal, Hive, Black Basta ransomware gangs ‘collaborating on cyber attacks’
Affiliates from the now-defunct Hive ransomware group could be seeking opportunities with other major dark web players


A host of major ransomware gangs could be sharing intel and conferring over attack techniques, according to Sophos.
Researchers at the security firm analyzed connections between three of the most notorious ransomware outfits over the past year, including the Royal, Hive, and Black Basta gangs.
There were “distinct similarities” between techniques employed during four different incidents at the beginning of 2023, analysis showed, raising questions over whether the gangs have been collaborating.
“Despite Royal being a notoriously closed off group that doesn’t openly solicit affiliates from underground forums, granular similarities in the forensics of the attacks suggest all three groups are sharing either affiliates or highly specific technical details of their activities,” Sophos said.
These “unique similarities” included using the same usernames and passwords when attackers seized control of victims’ systems, the company said. These striking similarities included:
- Hive – first incident: Adm01/Adm02 | Pa$$w0rd991155 and AdminBac | P@ssW0dDP@ssW
- Royal – second incident: Adm04 | Pa$$w0rd12321 and AdminBac | P@ssW0dDP@ssW
- Black Basta – third incident: Adm066 | Pa$$w0rd11225 and WDAGUtilityAccount | P@ssw0rd123456789
In addition, similar techniques employed by all three included delivering payloads in .7z archives named specifically after the victim organization, as well as “executing commands on infected systems with the same batch scripts and files”.
RELATED RESOURCE
State of ransomware readiness 2022
Explore the business implications and personal impacts of ransomware.
Andrew Brandt, principal researcher at Sophos said traditional ransomware-as-a-service models require significant involvement from outside affiliates to conduct attacks. As such, there’s often crossover in tactics, techniques, and procedures they use.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
But the similarities here were striking, and could point to a deep degree of cross-communication, as well as the reliance on established affiliates for gangs like Royal.
“In these cases, the similarities we’re talking about are at a very granular level,” he added. “These highly specific, unique behaviors suggest that the Royal ransomware group is much more reliant on affiliates than previously thought.”
The attacks Sophos observed include a high-profile attack Hive instigated in January. The group, however, was taken down in a landmark operation conducted by the FBI and Europol later that month.
Law enforcement infiltrated Hive’s operations networks in mid-2022, with the takedown hailed as a rare occasion in which the FBI used offensive security tactics to cripple the organization.
The sting bore similarities to the joint international law enforcement takedown of the REvil ransomware gang in 2021, which prevented more than $100 million worth of ransomware payments being made, according to the FBI.
Sophos’ analysis suggested some of the corroborating techniques observed this year could point toward the use of Hive affiliates by other existing groups, specifically Royal.
“This operation could have led Hive affiliates to seek new employment – perhaps with Royal and Black Basta – which would explain the similarities in the ensuing ransomware attacks,” researchers said.

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.
He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.
For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.
-
Effective Data and Cleo expand partnership to drive supply chain integration capabilities
News The agreement will deepen collaboration between the Cleo Integration Cloud (CIC) and Effective Data’s data integration expertise
-
AI adoption is finally driving ROI for B2B teams in the UK and EU
News Early AI adopters across the UK and EU are transforming their response processes, with many finding first-year ROI success
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs
-
It's been a bad week for ransomware operators
News A host of ransomware strains have been neutralized, servers seized, and key players indicted
-
Everything we know about the Peter Green Chilled cyber attack
News A ransomware attack on the chilled food distributor highlights the supply chain risks within the retail sector