ShadowSyndicate linked to 7 ransomware attacks in the past year

pShadowSyndicate group formerly known as Infra Storm has been suspected of deploying seven different ransomware families in a series of attacks that have spanned the past year ppSecurity researchers from GroupIB working in conjunction with Bridewell and independent researcher Michael Koczwara exposed the clandestine operations of the threat actorppTheir findings point to ShadowSyndicates involvement in deploying ransomware strains like Quantum Nokoyawa BlackCatALPHV Clop Royal Cactus and Play which have been observed wreaking havoc in multiple breaches since July 2022ppWhile ShadowSyndicates exact role remains somewhat mysterious researchers believe it may serve as an initial access broker IAB Yet evidence also suggests that it operates as an affiliate of multiple ransomware operationsppThe lynchpin of this revelation was the identification of a distinct SSH fingerprint on 85 IP servers These servers predominantly called Cobalt Strike command and control systems served as the epicentre of ShadowSyndicates malevolent activitiesppThe discovery of the SSH fingerprint dates back to July 16 2022 and was active till August 2023ppThe researchers deployed an arsenal of investigative tools including Shodan and Censys discovery engines and harnessed various opensource intelligence OSNIT techniques This comprehensive approach unveiled a sprawling footprint of ShadowSyndicates activityppOf particular note was identifying eight different Cobalt Strike watermarks license keys on the compromised servers These Cobalt Strike servers acted as conduits for communicating with a range of ransomware strains including Cactus Royal Quantum Nokoyawa Play Clop and BlackCatALPHV all of which had been deployed across various victim networksppMoreover Cobalt Strike configurations were discovered on two servers with one of them featuring the telltale ShadowSyndicate SSH fingerprintppIn some instances ShadowSyndicate veered from its typical modus operandi using the Silver generation tool as an alternative to Cobalt StrikeppThe groups toolkit extended further to include the IcedID malware loader Matanbuchus MaaS loader and the Meterpreter Metasploit payloadppShadowSyndicates fingerprints were found on 85 servers These servers were connected to 18 different owners featured 22 network names and were scattered across 13 different locationsppDelving deeper into the analysis the researchers scrutinised Cobalt Strike command and control parameters such as detection dates watermarks and sleep time settings This revealed compelling evidence linking ShadowSyndicate to Quantum Nokoyawa and ALPHVBlackCat ransomwareppSpecifically the servers were tracked back to a Quantum attack from September 2022 three Nokoyawa attacks spanning Q4 2022 and April 2023 and an ALPHV attack in February 2023ppWhile there was less conclusive evidence connecting ShadowSyndicate to Ryuk Conti Trickbot Royal Clop and Play malware operations the researchers did unearth a noteworthy link in the case of Clop ppThe report indicated that at least 12 IP addresses formerly associated with notorious ransomware operators had been transferred to ShadowSyndicate since August 2022 and were now repurposed for Cobalt Strike Nevertheless establishing a highconfidence direct link between ShadowSyndicate and Clop remains an ongoing challengeppIn their assessment GroupIBs intelligence experts suggest that ShadowSyndicate likely functions as an affiliate collaborating with various ransomwareasaservice RaaS operations ppHowever this is just a theory and the researchers need more proof to substantiate this theoryppAlthough we have not reached a final verdict all the facts obtained during this joint research project suggest that the most plausible assumption is that ShadowSyndicate is an affiliate working with various RaaS said GroupIBppIn the News OpenAI brings image and voice integration to ChatGPTppDeputy Editor at CandidTechnology Hemant writes at the intersection of tech and culture and has a keen interest in science social issues and international relations
You can contact him here email protectedppWe may earn a commission if you buy something from a link on this page Thanks for your supportppSession expiredppPlease log in again
The login page will open in a new tab After logging in you can close it and return to this pagep