ShadowSyndicate: A New Raas Provider Launching Multiple Ransomware Attacks

A new Ransomware-as-a-service (RaaS) provider has been discovered by researchers, which notably uses multiple ransomware families and is found to have links with several ransomware attacks since July 2022.

This new threat actor has been given the name “ShadowSyndicate,” which uses a complex web of connections on their infrastructure. This threat actor is investigated for using many infamous toolkits like Cobalt Strike, IcedID, and Sliver malware for their attacks. 

However, there seem to be no confirmed reports on whether the threat actor is a RaaS affiliate or an initial access broker. 

ShadowSyndicate Raas Provider

ShadowSyndicate was identified in July 2022 and was found to be using at least seven different ransomware families. Also, this threat actor is said to be linked with Royal, Cl0p, Cactus, and Play ransomware activity.

The Ransomware-as-a-Service (RaaS) group employs a variety of tools for their operations. Among these are Cobalt Strike, a powerful tool for conducting advanced penetration testing; Sliver, another penetration testing tool; IcedID, a banking Trojan that steals financial information; Matanbuchus, a backdoor Trojan; and Meterpreter, a post-exploitation tool used for executing commands on compromised systems.

In addition to this, a connection was found with their infrastructure and Cl0p/Truebot. Moreover, the threat actor is attributed to Quantum ransomware activity (September 2022), Nokoyawa ransomware activity (October & November 2022 and March 2023), and ALPHV activity in February 2023.


Deploy Advanced AI-Powered Email Security Solution

Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware

On further investigations, it was found that the threat actor was using a single SSH fingerprint on 85 of its malicious servers, 52 of them were using Cobalt Strike C2. Other servers were found to be using Sliver, IcedID, and Matanbuchus. The threat actor also had 18 different hosts in multiple countries.

To identify a server, SSH generates a unique server host key fingerprint that clients can use for verification purposes.

Researchers have noted that ShadowSyndicate’s servers are not all owned by the same entity. This information eliminates the possibility that ShadowSyndicate is a hoster who set up the SSH fingerprint on their server, as previously hypothesized. Upon further investigation, it was discovered that there are 18 distinct server owners involved.

ShadowSyndicate servers by owner name (Image: GroupIB)

The relation between ShadowSyndicate and other malware families was discovered after analyzing the configurations on each attacker-controlled server. It is also suspected that threat actors belonging to Ryuk, Conti, and Trickbot are continuing their activity in other criminal groups.

However, there seems to be no reliable evidence to support the suspicion. Group-IB has published a complete report in collaboration with Bridewell about the threat actor and their infrastructure, including the IP servers controlled by the threat actor, their relation with other ransomware groups, Cobalt Strike watermarks, and other information.

Protect yourself from vulnerabilities using Patch Manager Plus to quickly patch over 850 third-party applications. Take advantage of the free trial to ensure 100% security.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.