HQ/EMEAFind out how we can help your business
A newly discovered complex web of ransomware activity called ShadowSyndicate has emerged in the cybercriminal landscape. This group could be a significant player in the world of cybercrime since they could deploy a diverse arsenal of ransomware families to wreak havoc on victims’ systems.
This ransomware group first appeared in June 2022, although their activities may date back earlier. Moreover, it has connections to seven distinct ransomware families. This detail shows the group’s sophisticated capabilities and extensive influence in the underground community.
ShadowSyndicate operates numerous servers.
The ShadowSyndicate actors’ infrastructure operates 85 servers, 52 of which serve as Cobalt Strike C2 servers for orchestrating their malicious activities. This consistent use of SSH fingerprints across these servers has provided clues on how they execute their operations.
These assessments showed that ShadowSyndicate operates as a Ransomware-as-a-Service (RaaS) affiliate, indicating that they work with other cybercriminals to deploy ransomware attacks. This affiliation enables them to access a comprehensive hacking toolkit, such as Sliver and Meterpreter penetration testing tools, the IcedID banking trojan, and the Matanbuchus malware loader.
Furthermore, other researchers linked the group to several high-profile attacks, like the Nokoyawa ransomware incidents in 2022, the Quantum ransomware attack in September 2022, and the ALPHV/BlackCat ransomware.
Separate examinations of the data associated with ShadowSyndicate’s infrastructure also revealed that the group labelled some of the servers with the names of defunct ransomware groups such as Ryuk, Conti, and Trickbot.
These investigations revealed potential affiliations between ShadowSyndicate and the Truebot/Cl0p infrastructure. Additionally, investigations noticed that specific IP addresses appear to have transitioned to ShadowSyndicate’s control once linked to Cl0p, marked by adopting the ShadowSyndicate SSH key.
The most threatening aspect of the ShadowSyndicate group is that it could diversify its ransomware portfolio since it could deploy seven distinct ransomware families in a single year. These details show how ransomware attacks have become a profitable operation for many hackers.
The emergence of groups like ShadowSyndicate is evidence of the constant growth of ransomware operations. Organisations should keep up with these advancements by employing robust cybersecurity measures and international collaboration to counter ransomware attacks.
