Uncover ShadowSyndicate Hackers’ Ties to Multiple Ransomware Campaigns and 85 Servers

A recent investigation by security researchers has shed light on a threat actor known as ShadowSyndicate, suspected of deploying seven distinct ransomware families in a series of attacks over the past year.

Collaborating closely with Bridewell and independent researcher Michael Koczwara, Group-IB analysts have traced ShadowSyndicate’s potential use of the Quantum, Nokoyawa, BlackCat/ALPHV, Clop, Royal, Cactus, and Play ransomware in numerous breaches dating back to July 2022.

Based on their extensive findings, researchers speculate that ShadowSyndicate may function as an initial access broker (IAB), but evidence also hints at its affiliation with multiple ransomware operations.

The researchers arrived at their conclusions by identifying a unique SSH fingerprint present on 85 IP servers, most of which were categorized as Cobalt Strike command and control nodes. This distinctive SSH fingerprint was first detected on July 16, 2022, and was still active as of August 2023.

To carry out their investigation, the research team utilized a range of tools, including discovery engines like Shodan and Censys, as well as various open-source intelligence (OSINT) techniques. This comprehensive approach allowed them to uncover a wide-ranging footprint of ShadowSyndicate activity.

The eight Cobalt Strike servers in question communicated with ransomware strains such as Cactus, Royal, Quantum, Nokoyawa, Play, Clop, and BlackCat/ALPHV, which had been deployed across various victim networks.

Furthermore, researchers identified Cobalt Strike configurations on two servers, with one of them matching the ShadowSyndicate SSH fingerprint. In some instances, ShadowSyndicate employed the Sliver penetration tool, previously considered as a potential alternative to Cobalt Strike.

An examination of the 85 servers sharing the same SSH key fingerprint linked to ShadowSyndicate revealed surprising results. Instead of being connected to a single hosting provider, the servers were associated with 18 different owners, featured 22 distinct network names, and were located in 13 different places.

Further analysis of command and control parameters, including detection dates, watermarks, and sleep time settings, yielded compelling evidence linking ShadowSyndicate to the Quantum, Nokoyawa, and ALPHV/BlackCat ransomware strains.

Specifically, the researchers connected these servers to a Quantum attack in September 2022, three Nokoyawa attacks spanning Q4 2022 to April 2023, and an ALPHV attack that occurred in February 2023.

Despite the mounting evidence pointing to a potential affiliation, establishing a high-confidence direct link between ShadowSyndicate and Clop remains elusive.

Consequently, ShadowSyndicate is most likely operating as an affiliate working with various ransomware-as-a-service (RaaS) operations, although further evidence is needed to substantiate this theory.