ShadowSyndicate: A New Player in the RaaS LandscapeNew Group Has Connections to Name-Brand Ransomware-as-a-Service Groups
An apparently new hacking group has connections to a number of name-brand ransomware-as-a-service groups including Conti spinoffs and possibly Clop, making it a notably versatile addition to the criminal underground.
Group-IB researchers dubbed the group ShadowSyndicate in a Tuesday blog post. An investigation found the group's single SSH fingerprint deployed since July 2022 onto 85 servers, the majority of them tagged as command and control for the Cobalt Strike pen-testing tool that doubles as a hacker favorite. ShadowSyndicate appears - with varying shades of researcher confidence - to have worked so far with seven different ransomware providers.
Ransomware as a service emerged as the dominant model for cyber extortion over the past half-decade, and mostly Russian-speaking criminal groups learned to specialize and share profits. RaaS operators develop malicious encryptors and a client portal and handle negotiations with victims. Affiliates deploy the malware, whether through their own hacking or through access to compromised machines bought from an initial access broker. Operators typically keep between 20% and 40% of the victim payout.
There's a possibility that ShadowSyndicate is an initial access broker, although Group-IB said its analysis points toward it being an affiliate.
Group-IB found that the server infrastructure of ShadowSyndicate had been used in a September 2022 attack using Quantum ransomware, three Nokoyawa attacks during the last three months of 2022 and April 2023 and an Alphv attack in February 2023 (see: After Conti Ransomware Brand Retires, Spinoffs Carry On).
Group-IB also identified, with a low degree of confidence, infrastructure overlaps linking ShadowSyndicate to TrickBot, Ryuk, FIN7 and TrueBot malware operations.
In particular, a dozen IP addresses from four different clusters associated with Clop ransomware affiliates since August 2022 changed ownership to ShadowSyndicate, "which suggests that there is some potential sharing of infrastructure between these groups," the researchers said. The IP addresses now all lead to command-and-control infrastructure for Cobalt Strike or Metasploit. Group-IB said it doesn't know for which purpose Clop used the IP addresses.
The disclosure comes as security analysts have recorded a drop in ransomware attacks in August after record months in June and July, a bump the NCC Group attributed to Clop's exploitation of a zero-day flaw in Progress Software's MOVEit file transfer software (see: Data Breach Toll Tied to Clop Group's MOVEit Attack Surges).
"This being said, the number of recorded victims in August was still significantly higher than this time last year," said Matt Hull, global head of threat intelligence at NCC Group.