Conventional cyber threat intelligence techniques enable analysts to track, group and ultimately attribute incident data through indicators of compromise (IOCs). However, sometimes IOCs are insufficient for connecting the dots between different cases, particularly when adversaries reuse commodity tools. This presentation will demonstrate how using machine learning, specifically k-means clustering, can enable analysts to partition data points into multiple distinctive groups to discover previously unseen connections. Specifically, k-means clustering applied to Dharma and Phobos ransomware incident data revealed patterns to potentially provide insights into the actors behind the operations, as well as implications for the way actors monetize Dharma and Phobos campaigns.