Diving into details
- ShadowSyndicate has been identified as using a consistent SSH fingerprint across 85 servers. A significant portion of these, specifically 52, function as Cobalt Strike C2 servers, facilitating the orchestration of the group’s malicious activities.
- Researchers surmise that ShadowSyndicate operates as a Ransomware-as-a-Service (RaaS) affiliate. Furthermore, the gang employs an array of tools in their attacks, including the Sliver and Meterpreter penetration testing tools, the IcedID banking trojan, and the Matanbuchus malware loader.
- This comprehensive toolset was linked to a string of attacks: the Nokoyawa ransomware incidents in 2022, a Quantum ransomware attack in September 2022, and the ALPHV/BlackCat ransomware event just a month prior.
Probable connection with other ransomware
- Upon examining List A servers with Group-IB data sources, it was determined that some of these servers were labeled as Ryuk, Conti, and Trickbot. These criminal entities, however, are now defunct.
- During the investigation, potential ties between ShadowSyndicate and Truebot/Cl0p infrastructure were unearthed. Certain IP addresses initially linked to Cl0p seem to have transitioned to ShadowSyndicate control, as indicated by the adoption of the ShadowSyndicate SSH key.
- These IP addresses correlate with several clusters associated with affiliates of Cl0p, Black Basta, and former ransomware groups mentioned above.
The bottom line
ShadowSyndicate distinguishes itself from other affiliates through the variety of ransomware families it has disseminated over the past year. It’s uncommon for one affiliate to differentiate itself as markedly as ShadowSyndicate has, especially with such a wide-ranging focus. Its prominence in an already saturated field of threat actors underscores the ongoing lucrative nature of ransomware attacks for perpetrators.