ShadowSyndicate: SSH 1ca4cbac895fc3bd12417b77fc6ed31d
Joshua Penny - Senior Threat Intelligence Analyst, Bridewell
Eline Switzer - Threat Intelligence Analyst, Group-IB
Michael Koczwara - Threat Researcher
Ransomware-as-a-Service (RaaS) is a recent development that has made ransomware even more prolific over the last few years. In simple terms, a ransomware operator will write software that allows low-skills actors (known as affiliates) to launch their own ransomware campaigns. There is no need for these affiliates to be able to code or have much technical expertise, they can simply rely on the ransomware products provided by these vendors.
In many ways, the RaaS ecosystem is comparable to how modern tech companies operate and consume software as a service (SaaS) products. While there are any number of affiliates looking for the right RaaS product to help them operate their own ransomware campaigns, the ecosystem is upheld by a number of major players who supply RaaS. These groups find success in forming, selling their product and disbanding quickly – helping them evade identification.
At Bridewell CTI, we’ve been conducting research, in collaboration with Group-IB and independent researcher Michael Koczwara, into a new, major player in the RaaS ecosystem. In this report, we’ll share our findings on this player, known as ShadowSyndicate, to uncover how they operate and what they’re doing differently to conventional RaaS groups. We’ll also be looking at the infrastructure they’ve leveraged and share indicators of compromise (IoCs) you should be aware of.
ShadowSyndicate: What Do You Need to Know?
ShadowSyndicate is unique when compared to other RaaS players. To start, it is unusual for a single Secure Shell (SSH) fingerprint to have such a complex web of connections with so many malicious servers. In total, we found ShadowSyndicate’s SSH fingerprint on 85 servers since July 2022. Additionally, we can say with various degrees of confidence that the group has used seven different ransomware families over the course of the past year, making ShadowSyndicate notable for their versatility.
At this stage, we are unable to confirm if ShadowSyndicate is a RaaS affiliate or an initial access broker, although based on our evidence, we believe that the threat actor is the former. In this report, you can find more information on our hypothoses, evidence and conclusions in this report.
Acknowledgements: We would also like to thank Nikita Rostovtsev for his contribution to this report.