A new cyber threat group known as ShadowSyndicate has emerged, utilizing a large network of malicious servers to distribute and manage multiple ransomware families. These ransomware families include well-known ones such as ALPHV, Quantum, and Nokoyawa. Researchers from Group-IB and other organizations have analyzed the group’s activities and uncovered potential links to the operators of Cl0p, Play, Royal, and Cactus ransomware families.
ShadowSyndicate is believed to be a ransomware-as-a-service (RaaS) affiliate, meaning that it distributes ransomware created by other RaaS operators in exchange for a portion of the ransom payment. However, what sets ShadowSyndicate apart from other affiliates is the sheer number of ransomware families it has distributed in the past year. Eline Switzer, a threat intelligence analyst at Group-IB, stated that this level of activity is unusual for a single affiliate, and it is not something they have seen before.
Ransomware affiliates often receive less recognition than the RaaS operators they work for, despite playing a crucial role in the proliferation of ransomware-as-a-service offerings. Affiliates are responsible for distributing the malware, infecting networks, negotiating ransoms, and collecting payments. Major RaaS programs like Lockbit can have numerous affiliates carrying out attacks and distributing their malware. However, it is rare for a single affiliate to stand out as prominently as ShadowSyndicate has.
Group-IB’s assessment of the ShadowSyndicate operation revealed that the threat actor is utilizing at least 85 servers in their attacks. To put this number into perspective, other groups typically use around 50 servers, while some have over 100. ShadowSyndicate’s servers are geographically dispersed, with a preference for servers located in Panama. Group-IB discovered 52 systems being used as Cobalt Strike command-and-control (C2) servers, allowing the threat actor to manage and coordinate their malware campaigns.
Alongside Cobalt Strike, ShadowSyndicate employs a range of other tools and malware in their attacks. Group-IB identified the use of tools such as Sliver and Meterpreter penetration testing tools, IcedID banking Trojan, and Matanbuchus, a malware loader. The researchers were able to conclusively link ShadowSyndicate’s C2 servers to various ransomware attacks, including Nokoyawa, Quantum, ALPHV (BlackCat), Play, Royal, and Cl0p. Many of these attacks occurred within the past year.
The emergence of ShadowSyndicate in an already crowded threat actor landscape highlights the continuing profitability of ransomware attacks. A recent report from the NCC Group noted a slight decrease in ransomware attacks last month, following a peak in July. Almost half of the attacks (47%) targeted organizations in North America, primarily in industrial, consumer, and technology sectors. Notably, Lockbit 3.0 affiliates were responsible for 125 of the 390 attacks recorded by NCC Group, marking a significant month-over-month increase.
While Group-IB’s research is ongoing, early evidence suggests that ShadowSyndicate is indeed an RaaS affiliate utilizing various types of malware. Their extensive distribution of multiple ransomware families and their significant server infrastructure highlight the group’s sophistication and potential impact on victims. As the ransomware threat continues to evolve and cybercriminals seek new ways to profit, organizations must remain vigilant in their security measures to protect against these evolving attacks.