ShadowSyndicate: A New Raas Provider Launching Multiple Ransomware Attacks

A brand new Ransomware-as-a-service (RaaS) provider has been discovered by researchers, which severely uses extra than one ransomware families and is discovered to salvage links with several ransomware assaults since July 2022.

This new threat actor has been given the name “ShadowSyndicate,” which uses a elaborate web of connections on their infrastructure. This threat actor is investigated for utilizing many imperfect toolkits treasure Cobalt Strike, IcedID, and Sliver malware for his or her assaults.

Nonetheless, there appear to be no confirmed reports on whether the threat actor is a RaaS affiliate or an preliminary salvage admission to dealer.

ShadowSyndicate Raas Provider

ShadowSyndicate was acknowledged in July 2022 and was discovered to be utilizing as a minimum seven different ransomware families. Also, this threat actor is claimed to be linked with Royal, Cl0p, Cactus, and Play ransomware hiss.

The Ransomware-as-a-Provider (RaaS) community employs a large selection of tools for his or her operations. Among these are Cobalt Strike, a extremely effective tool for conducting evolved penetration testing; Sliver, but some other penetration testing tool; IcedID, a banking Trojan that steals financial recordsdata; Matanbuchus, a backdoor Trojan; and Meterpreter, a put up-exploitation tool outdated skool for executing commands on compromised programs.

As successfully as to this, a connection was discovered with their infrastructure and Cl0p/Truebot. Moreover, the threat actor is attributed to Quantum ransomware hiss (September 2022), Nokoyawa ransomware hiss (October & November 2022 and March 2023), and ALPHV hiss in February 2023.

On extra investigations, it was discovered that the threat actor was utilizing a single SSH fingerprint on 85 of its malicious servers, 52 of them were utilizing Cobalt Strike C2. Other servers were discovered to be utilizing Sliver, IcedID, and Matanbuchus. The threat actor additionally had 18 different hosts in extra than one international locations.

To name a server, SSH generates a different server host key fingerprint that purchasers can hiss for verification functions.

Researchers salvage favorite that ShadowSyndicate’s servers must not all owned by the the same entity. This recordsdata eliminates the possibility that ShadowSyndicate is a hoster who space up the SSH fingerprint on their server, as beforehand hypothesized. Upon extra investigation, it was discovered that there are 18 clear server householders enthusiastic.

The relation between ShadowSyndicate and other malware families was discovered after inspecting the configurations on every attacker-controlled server. It is additionally suspected that threat actors belonging to Ryuk, Conti, and Trickbot are persevering with their hiss in other criminal teams.

Nonetheless, there looks to be to be no legit proof to toughen the suspicion. Community-IB has revealed a total memoir in collaboration with Bridewell in regards to the threat actor and their infrastructure, along with the IP servers controlled by the threat actor, their relation with other ransomware teams, Cobalt Strike watermarks, and other recordsdata.

Guard yourself from vulnerabilities utilizing Patch Manager Plus to hasty patch over 850 third-birthday celebration applications. Take income of the free trial to guarantee 100% security.