ShadowSyndicate [1] [2] [3] [4] [5] [6] [7] [8] [9], a newly identified cybercrime group, has been active since July 2022 and is associated with various ransomware families [3] [5] [9]. They have been utilizing off-the-shelf post-exploitation tools and loaders [5], with Cobalt Strike being particularly prominent in their operations. Connections have also been found between ShadowSyndicate and other malware operations, suggesting affiliation with Ransomware-as-a-Service (RaaS).
Description
ShadowSyndicate has been linked to several ransomware families [3] [8] [9], including Quantum [2] [3] [4] [5] [9], Nokoyawa [2] [3] [4] [5] [6] [7] [8] [9], BlackCat [3] [4] [5] [9], Royal [2] [3] [4] [5] [6] [7] [8] [9], Cl0p [2] [3] [4] [5] [6] [7] [8] [9], Cactus [2] [3] [4] [5] [7] [8] [9], and Play strains [4] [5]. They have been using tools like Cobalt Strike and Sliver [3] [9], as well as loaders like IcedID and Matanbuchus [3] [5] [9]. Cobalt Strike has been used in approximately 61% of their operations and has served as a command-and-control for 52 out of the 85 servers where a distinct SSH fingerprint was discovered. These servers are primarily located in Panama, Cyprus [3] [5] [9], Russia [3] [5] [9], Seychelles [3] [5] [9], Costa Rica [3] [5] [9], Czechia [3] [5] [9], Belize [3] [5] [9], Bulgaria [3] [5] [9], Honduras [3] [5] [9], and the Netherlands [3] [5] [9]. Additionally, connections have been found between ShadowSyndicate and other malware operations, including TrickBot [3] [9], Ryuk/Conti [3] [9], FIN7 [3] [9], and TrueBot [3] [9]. These findings strongly suggest that ShadowSyndicate is affiliated with Ransomware-as-a-Service (RaaS) [1]. Cybersecurity experts have also discovered evidence of potential infrastructure sharing between ShadowSyndicate and Cl0p ransomware affiliates.
Conclusion
The activities of ShadowSyndicate pose a significant threat to cybersecurity. It is crucial for the cybersecurity community to remain vigilant and collaborate in order to effectively counter this evolving threat. The use of off-the-shelf tools and loaders, along with the affiliation with Ransomware-as-a-Service (RaaS), highlights the sophistication and adaptability of this cybercrime group. Mitigation efforts should focus on identifying and disrupting their command-and-control infrastructure, as well as sharing intelligence and collaborating with law enforcement agencies. The discovery of potential infrastructure sharing between ShadowSyndicate and Cl0p ransomware affiliates further underscores the need for continued investigation and cooperation to combat these interconnected threats.
References
[1] https://cybernow.info/shadow-syndicate-and-ransomware-threats/
[2] https://www.scmagazine.com/news/shadowsyndicate-suspected-of-being-raas-affiliate-to-quantum-alphv-and-nokoyawa-groups
[3] https://vulners.com/thn/THN:B708BC08CC93762BBF7B7B889A0FB8E2
[4] https://thenimblenerd.com/article/shadowsyndicate-the-cybercrime-masterclass-with-a-twist-of-humor/
[5] https://cybersecurity-see.com/connection-discovered-between-7-ransomware-families-and-emerging-cybercriminal-organization/
[6] https://www.darkreading.com/attacks-breaches/researchers-uncover-raas-affiliate-distributing-multiple-ransomware-strains
[7] https://www.group-ib.com/blog/shadowsyndicate-raas/
[8] https://www.infosecurity-magazine.com/news/shadowsyndicate-reveals-raas-ties/
[9] https://www.443news.com/2023/09/a-new-cybercrime-group-linked-to-7-ransomware-families/
