ShadowSyndicate - the New APT That is Behind Seven Ransomware Strains

Cybersecurity experts have revealed the existence of a new cybercriminal group known as ShadowSyndicate, previously identified as Infra Storm. This group is suspected of having utilized up to seven different ransomware families within the past year.

ShadowSyndicate is characterized as a threat actor collaborating with various ransomware groups and affiliates of ransomware programs, as detailed in a joint technical report by Group-IB and Bridewell.

Operating since July 16, 2022, the group has been associated with ransomware activities related to Quantum, Nokoyawa, BlackCat, Royal, Cl0p, Cactus, and Play strains. Additionally, they have deployed readily available post-exploitation tools like Cobalt Strike and Sliver, as well as loaders such as IcedID and Matanbuchus.

These findings are based on the identification of a distinct SSH fingerprint (1ca4cbac895fc3bd12417b77fc6ed31d) on 85 servers, with 52 serving as command-and-control (C2) for Cobalt Strike. Among these servers, eight different Cobalt Strike license keys (or watermarks) have been detected.

The majority of these servers (23) are situated in Panama, followed by Cyprus (11), Russia (9), Seychelles (8), Costa Rica (7), Czechia (7), Belize (6), Bulgaria (3), Honduras (3), and the Netherlands (3).

Potential Ties to Other Cybercriminal Outfits

Furthermore, Group-IB identified infrastructure overlaps connecting ShadowSyndicate to TrickBot, Ryuk/Conti, FIN7, and TrueBot malware operations. Notably, there have been instances of IP addresses linked to Cl0p ransomware affiliates transitioning to ShadowSyndicate ownership since August 2022, suggesting potential infrastructure sharing among these groups.

This revelation coincides with German law enforcement authorities' announcement of a second targeted operation against individuals associated with the DoppelPaymer ransomware group. Search warrants were executed against two suspects in Germany and Ukraine, both allegedly holding key responsibilities within the network and benefiting from ransomware attack proceeds. Their identities have not been disclosed.

Additionally, a joint advisory from the U.S. Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) highlights a double extortion actor called Snatch (formerly Team Truniger). This threat group has been targeting various critical infrastructure sectors since mid-2021, using multiple methods to gain network access and maintain persistence. These methods include exploiting Remote Desktop Protocol (RDP) vulnerabilities, brute-forcing, acquiring compromised credentials from criminal forums, and employing tactics to evade detection, such as rebooting Windows systems into Safe Mode.