Security researchers have identified a threat actor known as ShadowSyndicate, which is believed to have deployed seven different ransomware families in attacks over the past year.
Collaborating with Bridewell and independent researcher Michael Koczwara, Group-IB analysts have attributed various ransomware attacks, including Quantum, Nokoyawa, Clop, and others, to ShadowSyndicate. The researchers discovered a distinct SSH fingerprint on 85 IP servers, most of which were tagged as Cobalt Strike command and control machines, leading them to conclude that ShadowSyndicate is likely an affiliate to multiple ransomware operations. While the evidence suggests ShadowSyndicate may be an initial access broker (IAB), more conclusive proof is needed.
Furthermore, the investigation relied on tools such as Shodan and Censys, along with OSINT techniques, to reveal a vast ShadowSyndicate activity footprint. The researchers found eight different Cobalt Strike watermarks on the servers associated with ShadowSyndicate, connecting them to ransomware like Cactus, Royal, and Play.
They also observed the use of tools like Sliver penetration and IcedID malware loader in ShadowSyndicate attacks. Despite the extensive findings, establishing a high-confidence direct link between ShadowSyndicate and Clop ransomware remains elusive.
The research underscores the evolving and complex landscape of cyber threats, with ShadowSyndicate likely operating as an affiliate working with various ransomware-as-a-service (RaaS) operations. Group-IB encourages collaboration with external researchers to further investigate this threat. They have published a detailed report with technical data to assist defenders in detecting and attributing ShadowSyndicate activity.