ShadowSyndicate hackers linked to multiple ransomware ops, 85 servers

2023-09-26 09:11

Group-IB analysts attribute with various degrees of confidence ShadowSyndicate's use of the Quantum, Nokoyawa, BlackCat/ALPHV, Clop, Royal, Cactus, and Play ransomware in breaches since July 2022.

Based on their findings, researchers believe that the threat actor could be an initial access broker, although evidence suggests that ShadowSyndicate is an affiliate to multiple ransomware operations.

Looking at the ShadowSyndicate servers identified based on the SSH fingerprint, the researchers "Came across eight different Cobalt Strike watermarks."

Group-IB tested the hypothesis that all 85 servers with the same SSH key fingerprint linked to ShadowSyndicate are connected to a single hosting provider but found 18 different owners, 22 distinct network names, and 13 different locations.

Analysis of Cobalt Strike C2 parameters like detection date, watermarks, or sleep time settings helped produce high-confidence evidence that links ShadowSyndicate to Quantum, Nokoyawa, and ALPHV/BlackCat ransomware.

For Clop particularly, Group-IB mentions that at least 12 IP addresses formerly linked to the notorious ransomware operators were transferred to ShadowSyndicate since August 2022 and are now utilized for Cobalt Strike.

News URL

https://www.bleepingcomputer.com/news/security/shadowsyndicate-hackers-linked-to-multiple-ransomware-ops-85-servers/

#hacker #ransomware #server

News URL

Related news