Man in hoodie with crossed arms

Fingerprints Point to New Global Ransomware-As-A-Service Threat Actor

Published 26 September 2023

International cyber crime group ShadowSyndicate’s unique level of threat revealed in report by Bridewell and Group-IB.

Reading, UK – 26 September 2023 – A new threat actor, ShadowSyndicate, is almost certainly a Ransomware-as-a-Service (RaaS) affiliate, with its tentacles spread around the globe through a complex and highly unusual network of web connections and malicious servers, a new report reveals.

The report details findings from a joint investigation by Group-IB, a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime, Bridewell, a leading global cyber security firm, and independent threat researcher Michael Koczwara. This research was conducted as part of Group-IB’s new Cybercrime Fighters Club programme – a collaborative initiative promoting the exchange of knowledge and joint cyber security research.

ShadowSyndicate (not to be confused with Shadow ransomware) has been active since July 2022 and is still active today, the report found. The affiliate was discovered to be highly versatile, as researchers were able to strongly link the group to attacks involving three different ransomware families; with evidence also suggesting the group potentially leveraged four more types of ransomware. The researchers identified its Secure Shell (SSH) fingerprint on 85 servers in 13 different countries, with Panama by far the most favoured. The group were also identified to have a foothold in and control over infrastructure in Cyprus, the Russian Federation and the Seychelles.

With a high degree of confidence, Group-IB and Bridewell believe ShadowSyndicate has been responsible for Quantum, Nokoyawa and ALPHV ransomware activity over the last 12 months. The companies also found credible connections between ShadowSyndicate infrastructure and Cl0p ransomware and Truebot malware.

Two prolific malware families, IcedID and Matanbuchus, were also strongly suspected to have been used by the RaaS group. These malware strains are used specifically by threat actors that specialise in infiltrating computer systems and networks, such as initial access brokers, to facilitate ransomware attacks.

The researchers discovered the group deploys off-the-shelf penetration-testing toolkits such as Cobalt Strike and Sliver. These penetration testing tools, designed to perform security testing on organisations, can be manipulated and used by threat actors to enact real-life attacks. At least 52 servers with the ShadowSyndicate fingerprint were used as a Cobalt Strike C2 framework.

Joshua Penny, Senior Cyber Threat Intelligence Analyst at Bridewell says: “The balance of our evidence suggests ShadowSyndicate is a dangerous new ransomware affiliate that has left its fingerprint all around the globe. All organisations need to take the threat very seriously as prominent RaaS groups and their affiliates such as ShadowSyndicate can wreak havoc. The RaaS industry is a lucrative and fast-growing criminal enterprise operation that will continue to expand as threat actors develop new and more sophisticated methods of hacking company servers and systems.”

“The discovery of ShadowSyndicate is highly significant, as it reveals the evolving tactics of threat actors, who now have more tools than ever that they can wield against potential victims,” Eline Switzer, Threat Intelligence Analyst at Group-IB says. “This research was made possible through the joint efforts of multiple parties, demonstrating the effectiveness of collaborative research initiatives, such as Group-IB’s Cybercrime Fighters Club.”

The research report includes a full list of IP addresses with links to ShadowSyndicate. To download the report, click on this link.


Joshua Penny

Senior Threat Intelligence Analyst