A suspected ransomware-as-as-service affiliate dubbed "ShadowSyndicate" has been observed operating with a single Secure Shell (SSH) fingerprint on 85 servers since July 2022 and has used seven different ransomware families to launch attacks during the past year.
In a blog post Sept. 26, Group-IB researchers said it’s very rare for one SSH fingerprint to have such a complex web of connections with a large number of malicious servers.
Group-IB said it was unable to confirm for certain if ShadowSyndicate operates as a RaaS affiliate or an initial access broker, but based on its research, Group-IB believed that that threat actor was operating as a RaaS affiliate.
Group-IB based its theory on finding in its research that several watermarks from the seven ransomware groups identified could be detected on a single server, and while it complicates attribution, the researchers said it confirmed their theory that Shadow Syndicate operated as a RaaS affiliate that works with various RaaS groups.
The Group-IB researchers said they can attribute ShadowSyndicate with a high degree of confidence to Quantum ransomware activity in September 2022, the Nokoyawa ransomware group in October 2022 and March 2023, and ALPHV (BlackCat) activity in February 2023.
The researchers can attribute the following ransomware groups to ShadowSyndicate with a low degree confidence: Royal, Cl0p, Cactus, and Play. ShadowSyndicate was also found to use known off-the-shelf toolkits such as Cobalt Strike, IcedID, and Sliver malware. At least 52 of the servers uses a Cobalt Strike C2 framework.
Group-IB conducted the research on the ShadowSyndicate by forming a Cybercrime Fighters Club with Joshua Penny from Bridewell, Group-IB’s longtime MSSP partner in Europe, and threat researcher Michael Koczwara.
When groups start using technology such as Cobalt Strike, IcedID, and Sliver and SSH servers that are “fingerprintable,” it can go both ways when it comes to attribution, said Mayuresh Dani, manager, threat research at Qualys.
“Unique fingerprints lead to precise attribution and shared fingerprints lead to incorrect attribution,” said Dani. “However, their use of off-the-shelf multiple ransomware families, C2 frameworks, and IP infrastructure all point to ShadowSyndicate being a RaaS affiliate.”
John Gallagher, vice president of Viakoo Labs, added that given the investment made in depth and range of malware and capabilities assembled by ShadowSyndicate, it’s likely they are very focused on high-value targets, and use a unique strategy for each.
“In general, the expansion in RaaS providers and capabilities show that money is being made there and threat actors will continue to invest in evolving more significant capabilities,” said Gallagher.
John Gunn, chief executive officer at Token, added that this research community may rely too heavily on its forensics, while ignoring the fact that these groups are inherently clandestine and dishonest.
“They frequently place red herrings and false evidence to deceive researchers and mislead law enforcement agencies,” noted Gunn.
