More

    New Cybercrime Organization Connected to Seven Ransomware Groups

    Cybercrime

    The Rise of ShadowSyndicate: A Deep Dive into the Latest Cybercrime Collective

    Introduction to ShadowSyndicate

    In the ever-evolving landscape of cyber threats, new players emerge frequently, with some posing significant risks to global cybersecurity. One such emerging threat is ShadowSyndicate (previously known as Infra Storm). Since its first activity was recorded on July 16, 2022, this group has quickly made a name for itself by reportedly utilizing seven different ransomware families over the past year.

    Ransomware Families in Use

    ShadowSyndicate is not a solitary entity; it frequently collaborates with various ransomware groups and affiliates. According to a joint report by Group-IB and Bridewell, the collective has been associated with a number of notorious ransomware strains, including:

    • Quantum
    • Nokoyawa
    • BlackCat
    • Royal
    • Cl0p
    • Cactus
    • Play

    Beyond conventional ransomware, ShadowSyndicate has also adopted off-the-shelf post-exploitation tools, notably Cobalt Strike and Sliver. These tools, along with malicious loaders like IcedID and Matanbuchus, have been essential in their operations.

    Infrastructure Insights

    The technical report indicated a distinct SSH fingerprint tied to these activities; specifically, 1ca4cbac895fc3bd12417b77fc6ed31d was discovered across 85 servers. Among these, 52 servers functioned as command-and-control (C2) systems for Cobalt Strike, featuring eight different license keys.

    Geographically, the majority of these servers can be traced back to:

    • Panama: 23 servers
    • Cyprus: 11 servers
    • Russia: 9 servers
    • Seychelles: 8 servers
    • Costa Rica: 7 servers
    • Czechia: 7 servers
    • Belize: 6 servers
    • Bulgaria: 3 servers
    • Honduras: 3 servers
    • The Netherlands: 3 servers

    This distribution highlights the group’s global reach and the complexity of tracing its activities.

    Connections with Other Cybercrime Entities

    Intriguingly, Group-IB has unveiled infrastructural ties linking ShadowSyndicate with other well-known cybercrime operations. These connections include associations with TrickBot, Ryuk/Conti, FIN7, and TrueBot. For instance, of the 149 IP addresses associated with Cl0p ransomware affiliates, 12 IP addresses from four clusters have transitioned ownership to ShadowSyndicate, suggesting potential infrastructure sharing and collaborative efforts among these entities.

    Law Enforcement Responses

    The proactive measures taken by law enforcement have been noteworthy. Recently, German authorities launched a second wave of strikes against members of the DoppelPaymer ransomware group, targeting individuals allegedly responsible for orchestrating ransomware schemes. The suspects—a 44-year-old Ukrainian and a 45-year-old German—were believed to be pivotal in the network, yet their names remain undisclosed.

    Evolving Threats and Tactics

    Adapting to the changing landscape, Snatch ransomware has emerged as a case study of intruders employing multiple methods for breach and persistence. According to insights from the FBI and CISA, Snatch primarily exploits vulnerabilities in Remote Desktop Protocol (RDP). Its operators have gained access through brute-forcing tactics and compromised credentials retrieved from criminal marketplaces.

    An alarming trend noted by the Department of Homeland Security (DHS) is the increasing complexity of ransomware tactics. The year 2023 has seen ransomware groups develop new multi-layered extortion methods, often coupling data encryption with the threat of public disclosure if ransoms are not paid.

    Statistical Overview of Ransomware Impact

    As of mid-2023, the impact of ransomware attacks has been staggering. The frequency of claims related to cyber incidents has surged by 12% in the U.S. alone during the first half of the year. Businesses bearing more than $100 million in revenue have reported the most significant increases in claims, with victims experiencing average loss amounts exceeding $365,000.

    Moreover, emerging ransomware groups have quickly adopted innovative techniques to broaden their attack surface. For instance, the Akira ransomware has diversified its potential targets to include Linux servers and VMWare ESXi virtual machines, reflecting its capacity for rapid evolution.

    The Most Prolific Ransomware Families

    Several ransomware families continue to dominate the threat landscape:

    1. LockBit
    2. BlackCat
    3. Cl0p

    All these groups have been implicated in extensive operations targeting various sectors, such as banking, retail, and transportation. Notably, eSentire’s recent report detailed incidents where LockBit exploited RMM tools for lateral movement within networks, thereby amplifying the infiltration process.

    Conclusion

    Ransomware is a dynamic and increasingly profitable enterprise for cybercriminals. As the landscape changes, so too do the techniques employed by these groups. Monitoring their strategies and understanding their connections will be crucial for both cybersecurity professionals and organizations alike as they strive to mitigate the ever-present threat of cybercrime.

    Latest articles

    Previous article
    Top OCR Tools for 2025
    Next article
    Discover the 10 Best Technologies for Enhancing Privacy

    Related articles

    Leave a reply

    Please enter your comment!
    Please enter your name here

    Popular

    Popular articles

    Featured

    Popular categories

    Cybercrime101Corporate News93Generative AI93Operating Systems90Wearables90Consumer Tech88

    © Copyright - Tbh.technology