Computer Crime Research Center


ShadowSyndicate Cybercrime gang has used 7 ransomware families over the past year

Date: October 02, 2023
Source: Computer Crime Research Center
By: Lucian Constantin

Researchers from Group-IB believe it's likely the group is an independent affiliate working for multiple ransomware-as-a-service operations

A previously undocumented cybercrime group has built a collection of over 80 command-and-control (C2) servers for malware implants over the past two years. The gang, which researchers have now dubbed ShadowSyndicate, is believed to be either an initial access broker or an affiliate working with multiple ransomware-as-a-service (RaaS) operations.

"It's incredibly rare for one Secure Shell (SSH) fingerprint to have such a complex web of connections with a large number of malicious servers," researchers from cybercrime investigations firm Group-IB said in a report.

"In total, we found ShadowSyndicate's SSH fingerprint on 85 servers since July 2022. Additionally, we can say with various degrees of confidence that the group has used seven different ransomware families over the course of the past year, making ShadowSyndicate notable for their versatility."

Group-IB analysts partnered with researcher Joshua Penny from European MSSP Bridewell and independent malware researcher Michael Koczwara to investigate all the connections they found and try to determine what ShadowSyndicate is: a server host that deploys servers with the same SSH fingerprint, a DevOps engineer for threat actors, a bulletproof hosting service for cybercriminals, an initial access broker, or a RaaS affiliate.

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo