Tag Archive for: families

ShadowSyndicate Cybercrime gang has used 7 ransomware families over the past year

/in


Other servers with ShadowSyndicate’s SSH fingerprint were used as C2 servers for Sliver, an open-source penetration testing tool written in Go; for IcedID, a Trojan that has been used as malware dropped by multiple ransomware gangs in recent years; for Meterpreter, the implant from the Metasploit penetration testing framework; and for Matanbuchus, a Malware-as-a-Service (MaaS) loader that can also be used to deploy payloads.

In fact, there might even be a connection between some of these. For example, IcedID has been used to deploy Cobalt Strike implants before. It has also been used in connection with the Karakurt, RansomEXX, Black Basta, Nokoyawa, Quantum, REvil, Xingteam, and Conti ransomware families.

A successful ransomware affiliate

The researchers said they are fairly confident that ShadowSyndicate is not a hosting service because the servers were located in 13 different countries — with Panama being the favorite — and across different networks belonging to different organizations.

The researchers have found strong connections between ShadowSyndicate and attacks with Quantum (September 2022), Nokoyawa (October 2022, November 2022, and March 2023) and ALPHV (aka BlackCat) ransomware in February 2023. Weaker connections were found with Royal, Cl0p and Play ransomware.

“While checking List A servers using Group-IB data sources, we established that some servers were mapped as Ryuk, Conti, and Trickbot,” the researchers said. “However, these criminal groups no longer exist. Ryuk ceased to exist at the end of 2021, while Conti and Trickbot (which are connected) went dormant at the beginning of 2022. Researchers believe that former members of these groups could be continuing with their criminal activity using the same infrastructure, but they might now operate individually or in other criminal groups.”

There is a possibility that ShadowSyndicate is an initial access broker, a type of threat actor that compromises systems and sells the access gained to other cybercriminals, including ransomware gangs. However, the researchers believe it’s more likely that the group is actually an independent affiliate working for multiple RaaS operations.

Source…

ShadowSyndicate suspected of being RaaS affiliate to several ransomware families

/in


A suspected ransomware-as-as-service affiliate dubbed “ShadowSyndicate” has been observed operating with a single Secure Shell (SSH) fingerprint on 85 servers since July 2022 and has used seven different ransomware families to launch attacks during the past year.

In a blog post Sept. 26, Group-IB researchers said it’s very rare for one SSH fingerprint to have such a complex web of connections with a large number of malicious servers.

Group-IB said it was unable to confirm for certain if ShadowSyndicate operates as a RaaS affiliate or an initial access broker, but based on its research, Group-IB believed that that threat actor was operating as a RaaS affiliate.

Group-IB based its theory on finding in its research that several watermarks from the seven ransomware groups identified could be detected on a single server, and while it complicates attribution, the researchers said it confirmed their theory that Shadow Syndicate operated as a RaaS affiliate that works with various RaaS groups.  

The Group-IB researchers said they can attribute ShadowSyndicate with a high degree of confidence to Quantum ransomware activity in September 2022, the Nokoyawa ransomware group in October 2022 and March 2023, and ALPHV (BlackCat) activity in February 2023.

The researchers can attribute the following ransomware groups to ShadowSyndicate with a low degree confidence: Royal, Cl0p, Cactus, and Play. ShadowSyndicate was also found to use known off-the-shelf toolkits such as Cobalt Strike, IcedID, and Sliver malware. At least 52 of the servers uses a Cobalt Strike C2 framework.

Group-IB conducted the research on the ShadowSyndicate by forming a Cybercrime Fighters Club with Joshua Penny from Bridewell, Group-IB’s longtime MSSP partner in Europe, and threat researcher Michael Koczwara.

When groups start using technology such as Cobalt Strike, IcedID, and Sliver and SSH servers that are “fingerprintable,” it can go both ways when it comes to attribution, said Mayuresh Dani, manager, threat research at Qualys.

“Unique fingerprints lead to precise attribution and shared fingerprints lead to incorrect attribution,” said Dani. “However, their use of off-the-shelf multiple ransomware families, C2…

Source…

Minneapolis Public Schools has begun to contact families whose data was accessed in February hack

/in


Source…

58 per cent of malware families sold as service are ransomware

/in


New Delhi: A new study has revealed that 58 per cent of malware families sold as a service are ransomware.

The Kaspersky Digital Footprint Intelligence team presented a study that unveiled ransomware as the most widespread Malware-as-a-Service (MaaS) over the past seven years.

The study is based on research conducted on 97 malware families distributed on the dark web and other resources. Moreover, the researchers discovered that cybercriminals often hire infostealers, botnets, loaders and backdoors to carry out their attacks.

MaaS is an illicit model of business involving the leasing of software to carry out cyberattacks.

Clients of such services are typically provided with a personal account via which they can control the attack as well as technical support. It lowers the initial threshold of expertise that would-be cybercriminals must meet.

Experts analysed malware families’ sales volumes, posts, mentions, discussions and more to identify popular MaaS types.

Ransomware emerged as the top MaaS type, accounting for 58 per cent of all distributed families from 2015 to 2022.

Cybercriminals can subscribe to Ransomware-as-a-service (RaaS) for free. After they become partners in the programme, they have to pay for the service after each successful attack.

“Cybercriminals actively trade illicit goods and services, including malware and stolen data, over the shadow segments of the internet. By understanding how this market is structured, companies can gain insights into the methods and motivations of potential attackers,” said Alexander Zabrovsky, Digital Footprint Analyst at Kaspersky.

Organisations can protect themselves from MaaS by always keeping software updated on all the devices to prevent attackers from infiltrating the network by exploiting vulnerabilities and by using the latest Threat Intelligence information to stay aware of actual TTPs used by threat actors.

This post was last modified on July 2, 2023 9:01 pm

Source…