Cybersecurity experts recently shed light on a newly emerging cybercrime group named ShadowSyndicate, formerly Infra Storm. This group has potentially utilized up to seven different ransomware families over the past year.
Details about the Group
ShadowSyndicate has collaborated with various ransomware groups and their affiliates since July 16, 2022.
They have been linked to ransomware activities related to Quantum, Nokoyawa, BlackCat, Royal, Cl0p, Cactus, and Play strains. Additionally, they deploy readily available post-exploitation tools like Cobalt Strike and Sliver and loaders such as IcedID and Matanbuchus.
The Prodigy of Attack
The identification of ShadowSyndicate is based on a unique SSH fingerprint (1ca4cbac895fc3bd12417b77fc6ed31d) found on 85 servers, 52 of which were used as command-and-control (C2) centers for Cobalt Strike.
Notably, eight distinct Cobalt Strike license keys (or watermarks) were discovered among these servers.
Geographically, the majority of these servers (23) are located in Panama, followed by Cyprus (11), Russia (9), Seychelles (8), Costa Rica (7), Czechia (7), Belize (6), Bulgaria (3), Honduras (3), and the Netherlands (3).
Additionally, Group-IB has uncovered infrastructure overlaps connecting ShadowSyndicate to TrickBot, Ryuk/Conti, FIN7, and TrueBot malware operations. This indicates the potential sharing of infrastructure among these groups.
Linking Ransomware with Shadow Syndicate
This revelation coincides with German law enforcement authorities conducting a targeted operation against individuals associated with the DoppelPaymer ransomware group.
This operation involved executing search warrants against two suspects in Germany and Ukraine, both alleged to hold significant roles within the network.
Furthermore, a joint advisory by the U.S. The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have highlighted a double extortion actor known as Snatch (formerly Team Truniger).
The Department of Homeland Security (DHS) has noted in its latest Homeland Threat Assessment report that ransomware groups continue to evolve their tactics, making 2023 one of the most profitable years for them.
These groups increasingly employ multilevel extortion strategies, threatening to publicly release stolen data, using DDoS attacks, or harassing victims’ customers to compel payments.
The ransomware Akira has expanded its reach to include Linux servers and VMWare ESXi virtual machines, demonstrating adaptability. As of mid-September, Akira has successfully targeted 110 U.S. and the U.K victims.
Ransomware: Rising threat till the years ahead
This surge in ransomware attacks has also led to an increase in cyber insurance claims, with a 12% rise in claims frequency in the first half of the year in the U.S. Businesses with over $100 million in revenue have seen the most significant increase in claims.
Ransomware families have remained active and continue to evolve, targeting enterprises across various sectors. The number of active Ransomware-as-a-Service (RaaS) and RaaS-related groups are growing.
Keep learning to be proactive against these threats.
PureVPN
October 2, 2023
2 years ago
