Security News > 2023 > September > ShadowSyndicate hackers linked to multiple ransomware ops, 85 servers
Group-IB analysts attribute with various degrees of confidence ShadowSyndicate's use of the Quantum, Nokoyawa, BlackCat/ALPHV, Clop, Royal, Cactus, and Play ransomware in breaches since July 2022.
Based on their findings, researchers believe that the threat actor could be an initial access broker, although evidence suggests that ShadowSyndicate is an affiliate to multiple ransomware operations.
Looking at the ShadowSyndicate servers identified based on the SSH fingerprint, the researchers "Came across eight different Cobalt Strike watermarks."
Group-IB tested the hypothesis that all 85 servers with the same SSH key fingerprint linked to ShadowSyndicate are connected to a single hosting provider but found 18 different owners, 22 distinct network names, and 13 different locations.
Analysis of Cobalt Strike C2 parameters like detection date, watermarks, or sleep time settings helped produce high-confidence evidence that links ShadowSyndicate to Quantum, Nokoyawa, and ALPHV/BlackCat ransomware.
For Clop particularly, Group-IB mentions that at least 12 IP addresses formerly linked to the notorious ransomware operators were transferred to ShadowSyndicate since August 2022 and are now utilized for Cobalt Strike.
News URL
Related news
- US, UK warn of Russian APT29 hackers targeting Zimbra, TeamCity servers (source)
- CISA: Hackers abuse F5 BIG-IP cookies to map internal servers (source)
- Ransomware hits web hosting servers via vulnerable CyberPanel instances (source)
- North Korean govt hackers linked to Play ransomware attack (source)
- North Korean hackers pave the way for Play ransomware (source)
- Meet Interlock — The new ransomware targeting FreeBSD servers (source)