Halcyon researchers have recently released a report shedding light on the command-and-control providers that ransomware gangs rely on. Their investigation points to Cloudzy, a virtual private server (VPS) provider, as a common service used to support ransomware attacks and other cybercriminal activities. Although Cloudzy is incorporated in the United States, specifically in the state of Wyoming, the researchers suspect that the company operates from Tehran, Iran, potentially violating U.S. sanctions.
The report emphasizes the broad range of threat actors that leverage Cloudzy’s services. According to Halcyon, these actors include advanced persistent threat (APT) groups associated with various governments, such as China, Iran, North Korea, Russia, India, Pakistan, and Vietnam. In addition, the report highlights the involvement of criminal syndicates, ransomware affiliates, and even a sanctioned Israeli spyware vendor known for targeting civilians. The researchers stress that the campaigns orchestrated by these actors have attracted global attention.
What differentiates Cloudzy from bulletproof hosting providers is its lack of commitment to privacy. Bulletproof hosting providers, for the most part, claim to prioritize privacy. In contrast, Cloudzy attempts to hide its connections while pretending to be a legitimate company. Furthermore, Cloudzy appears to dismiss complaints of abuse, a behavior that is highly unlikely for a lawful entity.
There is a striking similarity between the activities carried out by criminal organizations and state-sponsored groups. These actors often employ comparable tools, tactics, and techniques. Rosa Smothers, a former CIA Cyber Threat Analyst and the current SVP of Cyber Operations at KnowBe4, likened the situation to the SolarWinds attack on U.S. federal and private sector infrastructure. Smothers noted that the attack, commonly referred to as “Sunburst,” was attributed to Russia and involved the use of Amazon Web Services (AWS) as a command-and-control provider (C2P). In both instances, it is unrealistic to expect the provider to monitor the activities of threat actors due to privacy agreements with customers and the use of encryption.
The modern hosting provider for the dark web, as described by Tom Kellermann, SVP of Cyber Strategy at Contrast Security, resembles Cloudzy. Kellermann acknowledges that the dark web is home to various actors, not all of whom are classified as pure cybercriminals. He emphasizes that the dark web operates at a scale comparable to that of Silicon Valley, with cybercrime cartels managing the infrastructure that enables its existence. Kellermann expresses hope that the FBI will disrupt and dismantle Cloudzy, describing it as a nefarious hosting provider.
The findings of Halcyon’s report shed light on the significant role command-and-control providers play in supporting ransomware attacks and other illicit online activities. Given the range of actors leveraging Cloudzy’s services, it is imperative for law enforcement agencies to take action to mitigate these threats to cybersecurity.