ShadowSyndicate Linked to Multiple Ransomware Families

Recent investigations by cybersecurity experts have unveiled ShadowSyndicate, a clandestine cybercrime group that has been operational since July 16, 2022. Notably, this group is linked to deploying as many as seven distinct ransomware families over the past year. Formerly known as Infra Storm, the group's activities have raised alarm bells in the cybersecurity community.

Group-IB, Bridewell, and independent cybersecurity researcher Michael Koczwara have shed light on ShadowSyndicate's operations and affiliations in a collaborative report. Their findings connect ShadowSyndicate with multiple ransomware strains, including Quantum, Nokoyawa, BlackCat, Royal, Cl0p, Cactus, and Play.

What's equally concerning is the group's usage of advanced post-exploitation tools. Instruments such as Cobalt Strike and Sliver and malware like IcedID and Matanbuchus have been identified in their arsenal, suggesting a sophisticated modus operandi. Central to this revelation was a distinctive SSH fingerprint that linked the group with 85 servers. More than half of these servers functioned as command-and-control (C2) points for the Cobalt Strike tool.

The geographical spread of these servers adds another layer to the situation's complexity. Most of them are strategically placed, with privacy-friendly Panama hosting the majority. Other nations on the list include Cyprus, Russia, the Seychelles, and more.

Additional findings by the investigating agencies hinted that ShadowSyndicate was previously connected with renowned ransomware players TrickBot and Ryuk. While these gangs no longer exist, the researchers also observed that 12 IP addresses previously associated with Cl0p ransomware affiliates seem to have transitioned to ShadowSyndicate. Such overlaps suggest shared infrastructures and collaborations among these cybercrime entities.

This disclosure is timely, considering the rising global unease around ransomware attacks. The U.S. Department of Homeland Security recently spotlighted the evolving tactics of ransomware entities, with their report underscoring the innovation and persistence of these groups. U.S. agencies have also been flagging threats from another actor, Snatch, which has been targeting vital infrastructure with alarming frequency.

The repercussions are felt widely. Insurance claims pertaining to ransomware incidents have surged. The amount of money involved in ransom demands has also escalated dramatically.

As illustrated by this investigation, the cybersecurity landscape is in constant flux. With ransomware families like BlackCat, Cl0p, and LockBit continually evolving their strategies, the challenges for defense mechanisms intensify.