The increasing dependence on technology has made society vulnerable to cyber threats, with ransomware becoming a major concern. The complex nature of the Ransomware-as-a-Service (RaaS) model makes identifying the attackers challenging. Traditional methods often rely on direct indicators, but these may not be readily available or reliable. This research explores the potential of utilizing indirect indicators to improve correlating ransomware attacks to specific threat actors. This results in the formulation of the following research question:

"If and to what extent can the analysis of indirect indicator be utilized to improve correlating ransomware attacks with cyber-threat actors?"

The research employs a mixed research approach. A literature review examines the techniques, indicators, and taxonomies used for attributing cyber-threat actors in general. Additionally, expert interviews explore differences in the attribution of ransomware threat actors compared to general cyber-threat actors. Furthermore, it highlights the need to use indirect indicators in the attribution process of ransomware threat actors. Therefore, a cybersecurity company's 2023 ransomware incident reports are analysed to understand how the ransomware attacks are investigated and how the conclusions are drawn.

This study identifies differences in attributing ransomware and general cyber-threat actors. While indirect indicators are crucial for attributing general cyber-threat actors, ransomware attackers often directly identify themselves through ransomware notes. These notes often provide access to communication channels and leak sites, offering substantial evidence for attribution.
The study also finds that Tactics, Techniques, and Procedures (TTPs) tend to be generic in ransomware attacks, offering limited value for differentiating between different actors. However, based on the interviews, there is a need for a central database of observed indirect indicators to facilitate future research and attribution efforts. Consequently, the research finds some promising results for using indirect indicators in ransomware threat actor attribution. The first finding is that the TTPs are less generic as initially thought as 32\% of the techniques and 47\% of the sub-techniques were unique. In addition, analysing the specific tools and techniques used by different actors, such as Blackcat's use of "nltest" for domain trust discovery, can help identify and differentiate them. Furthermore, threat actors observed only once in ransomware attacks of 2023 often used unique techniques, potentially allowing for differentiation based on this factor.

In conclusion, this study demonstrates that analysing indirect indicators can be a valuable tool in correlating ransomware attacks to specific threat actors. While certain limitations exist, continued research and development of this approach have the potential to significantly improve our ability to identify and track ransomware attackers.