ShadowSyndicate suspected of being RaaS affiliate to several ransomware families

/in


A suspected ransomware-as-as-service affiliate dubbed “ShadowSyndicate” has been observed operating with a single Secure Shell (SSH) fingerprint on 85 servers since July 2022 and has used seven different ransomware families to launch attacks during the past year.

In a blog post Sept. 26, Group-IB researchers said it’s very rare for one SSH fingerprint to have such a complex web of connections with a large number of malicious servers.

Group-IB said it was unable to confirm for certain if ShadowSyndicate operates as a RaaS affiliate or an initial access broker, but based on its research, Group-IB believed that that threat actor was operating as a RaaS affiliate.

Group-IB based its theory on finding in its research that several watermarks from the seven ransomware groups identified could be detected on a single server, and while it complicates attribution, the researchers said it confirmed their theory that Shadow Syndicate operated as a RaaS affiliate that works with various RaaS groups.  

The Group-IB researchers said they can attribute ShadowSyndicate with a high degree of confidence to Quantum ransomware activity in September 2022, the Nokoyawa ransomware group in October 2022 and March 2023, and ALPHV (BlackCat) activity in February 2023.

The researchers can attribute the following ransomware groups to ShadowSyndicate with a low degree confidence: Royal, Cl0p, Cactus, and Play. ShadowSyndicate was also found to use known off-the-shelf toolkits such as Cobalt Strike, IcedID, and Sliver malware. At least 52 of the servers uses a Cobalt Strike C2 framework.

Group-IB conducted the research on the ShadowSyndicate by forming a Cybercrime Fighters Club with Joshua Penny from Bridewell, Group-IB’s longtime MSSP partner in Europe, and threat researcher Michael Koczwara.

When groups start using technology such as Cobalt Strike, IcedID, and Sliver and SSH servers that are “fingerprintable,” it can go both ways when it comes to attribution, said Mayuresh Dani, manager, threat research at Qualys.

“Unique fingerprints lead to precise attribution and shared fingerprints lead to incorrect attribution,” said Dani. “However, their use of off-the-shelf multiple ransomware families, C2…

Source…