Security News > 2023 > September > ShadowSyndicate hackers linked to multiple ransomware ops, 85 servers
Group-IB analysts attribute with various degrees of confidence ShadowSyndicate's use of the Quantum, Nokoyawa, BlackCat/ALPHV, Clop, Royal, Cactus, and Play ransomware in breaches since July 2022.
Based on their findings, researchers believe that the threat actor could be an initial access broker, although evidence suggests that ShadowSyndicate is an affiliate to multiple ransomware operations.
Looking at the ShadowSyndicate servers identified based on the SSH fingerprint, the researchers "Came across eight different Cobalt Strike watermarks."
Group-IB tested the hypothesis that all 85 servers with the same SSH key fingerprint linked to ShadowSyndicate are connected to a single hosting provider but found 18 different owners, 22 distinct network names, and 13 different locations.
Analysis of Cobalt Strike C2 parameters like detection date, watermarks, or sleep time settings helped produce high-confidence evidence that links ShadowSyndicate to Quantum, Nokoyawa, and ALPHV/BlackCat ransomware.
For Clop particularly, Group-IB mentions that at least 12 IP addresses formerly linked to the notorious ransomware operators were transferred to ShadowSyndicate since August 2022 and are now utilized for Cobalt Strike.
News URL
Related news
- Live Ransomware Demo: See How Hackers Breach Networks and Demand a Ransom (source)
- TechRepublic EXCLUSIVE: New Ransomware Attacks are Getting More Personal as Hackers ‘Apply Psychological Pressure” (source)
- RedCurl cyberspies create ransomware to encrypt Hyper-V servers (source)
- ASUS releases fix for AMI bug that lets hackers brick servers (source)
- Hackers Exploit Critical Craft CMS Flaws; Hundreds of Servers Likely Compromised (source)
- Hitachi Vantara takes servers offline after Akira ransomware attack (source)
- U.S. Charges Yemeni Hacker Behind Black Kingdom Ransomware Targeting 1,500 Systems (source)