,

Executive Summary – Shadow Syndicate

Executive Summary In late 2024, Darktrace identified multiple instances of RansomHub ransomware attacks linked to the ShadowSyndicate threat group. ShadowSyndicate, active since 2022, has been associated with several ransomware families and sophisticated tools, including Cobalt Strike and Sliver. Their latest…

January 15, 2025|Eric Taylor
images[1]

Executive Summary

In late 2024, Darktrace identified multiple instances of RansomHub ransomware attacks linked to the ShadowSyndicate threat group. ShadowSyndicate, active since 2022, has been associated with several ransomware families and sophisticated tools, including Cobalt Strike and Sliver. Their latest collaboration with RansomHub, a rising Ransomware-as-a-Service (RaaS) operator, underscores an evolving threat landscape. This report details the tactics, techniques, and procedures (TTPs) observed in these attacks and provides actionable Indicators of Compromise (IoCs).

Threat Actor Overview: ShadowSyndicate

Background

ShadowSyndicate, also known as Infra Storm, has been active since July 2022. This group is recognized for partnering with prominent ransomware affiliates, including Quantum, Nokoyawa, and ALPHV.

Known Toolset

  • Cobalt Strike
  • Sliver
  • IcedID
  • Matanbuchus malware

Infrastructure Indicators

  • Persistent use of SSH fingerprint: 1c:a4:cb:ac:89:5f:c3:bd:12:41:7b:77:fc:6e:d3:1d.
  • As of September 2023, this fingerprint was associated with 85 servers, 52 of which were linked to Cobalt Strike command-and-control (C2) servers.

Emergence of RansomHub Ransomware

Overview

RansomHub emerged as a significant RaaS platform after the FBI’s disruption of ALPHV/BlackCat in late 2023. The takedown of LockBit in early 2024 further positioned RansomHub as a dominant force in the ransomware ecosystem.

Key Developments

  • Rapid recruitment of affiliates, including former members of disrupted groups.
  • Approximately 500 reported victims since February 2024.
  • Aggressive marketing and attractive affiliate compensation (up to 90% of ransom payments).

Observed Collaboration

Timeline

Between July 2022 and September 2023, ShadowSyndicate utilized multiple ransomware families. By late 2024, the group incorporated RansomHub into their operations.

Motivations

RansomHub’s competitive affiliate compensation and robust infrastructure likely incentivized ShadowSyndicate to adopt their platform.

Tactics, Techniques, and Procedures (TTPs)

1. Initial Access

  • Phishing Campaigns: Spear-phishing emails delivering malicious payloads.
  • Exploitation of Vulnerabilities: Targeting unpatched systems.

2. Establishing Persistence

  • Deployment of Cobalt Strike and Sliver for sustained access.

3. Credential Access

  • Use of IcedID and Matanbuchus malware for credential harvesting and privilege escalation.

4. Lateral Movement

  • Exploitation of compromised SSH credentials to navigate networks.

5. Data Exfiltration

  • Tools like Rclone and Mega.nz used for exfiltrating sensitive data.

6. Ransom Operations

  • Encryption of systems using RansomHub tools.
  • Ransom demands facilitated via RansomHub’s payment infrastructure.

Indicators of Compromise (IoCs)

SSH Fingerprint

  • 1c:a4:cb:ac:89:5f:c3:bd:12:41:7b:77:fc:6e:d3:1d

IP Addresses

  • 5.178.1.16
  • 193.142.30.134
  • 179.60.150.151
  • 194.34.239.36
  • 147.78.46.112
  • 45.227.253.29
  • 179.60.150.121
  • 185.232.67.101
  • 147.78.46.71
  • 81.19.135.216
  • 147.78.46.117
  • 45.182.189.109
  • 194.165.16.113
  • 193.142.30.242
  • 45.156.248.206
  • 45.227.255.214
  • 91.238.181.227
  • 81.19.136.251
  • 91.238.181.253
  • 88.214.25.213
  • 88.214.26.25
  • 88.214.26.37
  • 193.142.30.144
  • 194.165.16.92
  • 88.214.25.228
  • 88.214.25.247
  • 193.142.30.66
  • 92.118.36.204
  • 81.19.136.228
  • 81.19.136.241
  • 37.156.246.165
  • 81.19.135.215
  • 147.78.46.163
  • 193.142.30.39
  • 147.78.46.97
  • 193.142.30.100
  • 91.238.181.236
  • 179.60.150.132
  • 141.98.82.198
  • 179.60.150.139

Domains

  • vkmuz[.]net
  • api.playanext[.]com
  • safe-proxy[.]com
  • freevpn[.]zone

Mitigation Strategies

1. Regular Patching

Ensure systems are up-to-date with the latest security patches.

2. Network Monitoring

Deploy monitoring tools to detect anomalous activities, including unusual SSH connections.

3. Employee Training

Conduct awareness programs on phishing and social engineering threats.

4. Access Controls

Implement role-based access controls and regularly audit user privileges.

5. Incident Response Preparedness

Develop and rehearse incident response plans for swift containment and recovery.

Conclusion

ShadowSyndicate’s integration of RansomHub illustrates the adaptive nature of ransomware operations. Organizations must adopt proactive measures to mitigate risks associated with such advanced threats. By leveraging the provided IoCs and recommended mitigations, defenders can enhance their security posture against these adversaries.

 

References

 

RELATED

Executive Summary – Continued Attacks on USA Law Firms

By Eric Taylor | January 16, 2025

Executive Summary A cybercriminal operating under the alias CeFarir0ne has put up for sale unauthorized Remote Desktop Protocol (RDP) access to an…

BianLian Data Extortion Group – Updated Advisory

By Eric Taylor | November 21, 2024

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Australian Signals Directorate’s Australian Cyber…

Are You Using M365 Co-pilot? Beware of Missing Logs and Hidden Costs

By Eric Taylor | November 12, 2024

Leveraging M365 Co-pilot’s AI capabilities can be transformative for organizations, but recent insights underscore that logging and auditing around Co-pilot…