Researchers Uncover RaaS Affiliate Distributing Multiple Ransomware Strains

A new threat group is leveraging a relatively large network of malicious servers to distribute and manage multiple ransomware families including prolific ones such as ALPHV, Quantum, and Nokoyawa.

The group has been active since at least June 2022 and appears to have links to the operators of Cl0p, Play, Royal, and Cactus ransomware families as well, an analysis by Group-IB and other researchers has shown.

An Unusual RaaS Affiliate

Based on available evidence, the threat actor, which Group-IB is tracking as ShadowSyndicate, appears to be a ransomware-as-a-service (RaaS) affiliate, meaning it distributes ransomware authored by other RaaS operators in exchange for a portion of the ransom payment.

What makes ShadowSyndicate somewhat different from other affiliates is the number of ransomware families it has distributed over the past one year, says Eline Switzer, threat intelligence analyst at Group-IB. "At this stage, our hypothesis is that ShadowSyndicate is a RaaS affiliate, although this is one of several potential explanations for this malicious activity," Switzer says. "The fact that several different ransomware families were used, especially within the course of a single year, is peculiar for a single affiliate, and we haven't seen such examples of this in the past."

Ransomware affiliates are often not as well known as the RaaS operators on whose behalf they distribute ransomware. But they have played a singular role in the proliferation of ransomware-as-a-service offerings such as REvil/Sodinokibi, Ryuk, Conti, Hive, DoppelPaymer, and Lockbit in recent years. While RaaS operators usually provide the malware payloads, supporting infrastructure, and sometimes even initial access, affiliates are often the ones responsible for distributing the malware, infecting networks, negotiating ransoms, and collecting payments. Major RaaS programs such as Lockbit can have tens, sometimes even hundreds, of affiliates carrying out attacks and distributing their malware.

But it's rare for a single affiliate to stand out from the others in the manner that ShadowSyndicate has, and it is rarer for them to be so broad in scope. Group-IB's assessment of the ShadowSyndicate operation, based largely on its analysis of publicly available information, for instance, showed the threat actor is using at least 85 servers in its attacks. To put that number in context, Switzer points to groups such as ALPHV, Hive, and Conti that use around 50 servers and operations such as Cl0p and Royal, which have over 100 servers.

Broad Scope

ShadowSyndicate's servers are located across different regions, though Panama appears to be the threat actor's country of choice, Group-IB found. Some 52 of the systems with ShadowSyndicate's Secure Shell (SSH) fingerprint are being used as Cobalt Strike command-and-control (C2) servers that allow the threat actor to manage and coordinate its malware campaign.

In addition to Cobalt Strike, Group-IB found that ShadowSyndicate is using other tools such as the Sliver and Meterpreter penetration testing tools, IcedID banking Trojan, and Matanbuchus, a malware loader, in carrying out its attacks. Group-IB was able to conclusively link ShadowSyndicate's C2 servers to a series of Nokoyawa ransomware attacks in late 2022, a Quantum attack in September 2022, and with ALPHV, aka BlackCat ransomware, a month ago.

The company was able to establish similar links between ShadowSyndicate's C2 and server infrastructure and other dangerous ransomware families such as Play, Royal, and Cl0p. Many of the ransomware attacks that Group-IB was able to link with ShadowSyndicate's malicious infrastructure happened this year.

ShadowSyndciate presence in a space that's already crowded with a vast and growing number of threat actors is an indication of the continuing returns attackers are able to garner via ransomware attacks. A new report from the NCC Group this week showed the volume of ransomware attacks dipping slightly last month after hitting a peak in July. As expected, almost half the attacks (47%) targeted organizations in North America, with industrial, consumer, and technology sectors bearing the brunt. Lockbit 3.0 affiliates were responsible for 125 of the 390 attacks that NCC counted, marking a 150% month-over-month increase from July.

"At the start of our research, we established five hypotheses about ShadowSyndicate that we set out to prove," Group-IB said. Among them were theories about ShadowSyndicate being a host of malicious servers for other threat actors or being an initial access broker or an RaaS affiliate. "Although we have not reached a final verdict all the facts obtained during our research suggest that … ShadowSyndicate is a RaaS affiliate that uses various types of malware," Group-IB said.