Security researchers have identified a new cybercrime group known as ShadowSyndicate, which has been linked to the use of seven different ransomware families over the past year. The group is believed to be active since at least July 2022, and has targeted a wide range of organizations, including businesses, government agencies, and educational institutions.
Group-IB analysts, in collaboration with Bridewell and independent researcher Michael Koczwara, have identified ShadowSyndicate’s utilization of ransomware such as Quantum, Nokoyawa, BlackCat/ALPHV, Clop, Royal, Cactus, and Play in a series of security breaches that have been monitored since July 2022, with varying levels of confidence.
ShadowSyndicate is a particularly dangerous threat because of its versatility. The group is not tied to any single ransomware family, but instead uses a variety of different strains depending on the victim. This makes it more difficult for defenders to protect themselves against the group’s attacks.
Some of the ransomware families that ShadowSyndicate has been linked to include:
- Quantum
- Nokoyawa
- BlackCat/ALPHV
- Clop
- Royal
- Cactus
- Play
The group has also been known to use a variety of off-the-shelf post-exploitation tools and loaders, such as Cobalt Strike, Sliver, IcedID, and Matanbuchus.
Security researchers are still learning about ShadowSyndicate and its tactics, but it is clear that the group is a serious threat to organizations of all sizes. Organizations should take steps to protect themselves from ShadowSyndicate’s attacks by implementing strong security controls, such as multi-factor authentication, network segmentation, and regular backups.
Here are some additional details about ShadowSyndicate’s activities, based on the research of Group-IB and other security firms:
- ShadowSyndicate typically gains access to victim networks through phishing attacks and exploiting vulnerabilities in software and hardware.
- Once inside a victim’s network, the group will deploy a variety of tools and techniques to steal data and move laterally across the network.
- ShadowSyndicate will then deploy ransomware to encrypt the victim’s data and demand a ransom payment in exchange for the decryption key.
- The group has been known to threaten victims with releasing stolen data or launching additional attacks if the ransom is not paid.
Organizations can protect themselves from ShadowSyndicate by taking the following steps:
- Implement multi-factor authentication for all remote access and privileged accounts.
- Segment your network to prevent attackers from moving laterally if they do gain access.
- Regularly back up your data and store the backups offline.
- Educate your employees about cybersecurity best practices, such as phishing awareness and password security.
- Keep your software and hardware up to date with the latest security patches.
If you believe that your organization has been targeted by ShadowSyndicate, you should immediately contact a cybersecurity professional for assistance.
For details that could help defenders detect and attribute ShadowSyndicate activity, Group-IB has published a report today with technical data from their research.
