ShadowSyndicate is a prolific threat actor that has been active since July 2022, collaborated with various ransomware groups, and leverages a diverse toolkit, including Cobalt Strike, Sliver, IcedID, and Matanbuchus malware.
A distinctive feature of their operations is the consistent use of a specific SSH fingerprint (1ca4cbac895fc3bd12417b77fc6ed31d) across numerous servers, with at least 52 linked to Cobalt Strike C2.
Following the disruption of ALPHV/BlackCat and LockBit, RansomHub emerged as a prominent RaaS operator. Capitalizing on the vacuum left by these groups, RansomHub aggressively recruited former affiliates of these groups on underground forums.
This recruitment strategy is coupled with their active exploitation of vulnerabilities that led to a significant increase in their victim count, reaching approximately 500 reported victims in 2024.
Their success can be attributed to their rapid expansion and aggressive marketing within the cybercriminal ecosystem, which solidifies their position as a major player in the ransomware landscape.
ShadowSyndicate has expanded its ransomware arsenal by affiliating with RansomHub, as analysis reveals the group deployed RansomHub in multiple attacks between September and October 2024.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Observed activity includes encryption with accompanying ransom notes demanding payment to prevent data leaks via RansomHub’s Data Leak Site (DLS).
Concurrent data exfiltration via SSH to known ShadowSyndicate servers further emphasizes the group’s aggressive operational shift.
Darktrace researchers observed ShadowSyndicate deploying RansomHub in four distinct incidents across various sectors and the attacks followed a multi-stage pattern that begins with internal reconnaissance.
Threat actors aggressively scanned the victim’s network, probing for vulnerabilities by attempting connections to other devices over critical ports like 22 (SSH), 445 (SMB), and 3389 (RDP).
The initial phase aimed to map the network infrastructure, identify potential entry points, and gather crucial information for subsequent attack stages that ultimately lead to file encryption and data exfiltration.
RansomHub attacks leverage Splashtop for initial access, followed by outbound SSH connections to ShadowSyndicate’s C2 infrastructure (46.161.27[.]151) using WinSCP for data exfiltration.
There were a variety of methods for exfiltration, including transfers to MEGA cloud storage through HTTP and SSL connections.
Lateral movement involved the use of new administrative credentials and the deployment of suspicious executables with names like “[a-zA-Z]{6}.exe” and script files like “Defeat-Defender2.bat” across the network via SMB.
Ransomware attacks leveraging RansomHub, likely orchestrated by the ShadowSyndicate group, targeted multiple systems. The attacks involved file encryption, with filenames modified with a unique six-character alphanumeric extension.
While Autonomous Response was disabled, it has been suggested that containment actions could have mitigated the impact if automated.
The rise of Ransomware-as-a-Service models like RansomHub exacerbates the threat landscape, making it crucial for organizations to implement robust defenses.