Researchers uncover RaaS affiliate distributing multiple ransomware strains

Donny Jackson, Editor

September 27, 2023

2 Min Read
Researchers uncover RaaS affiliate distributing multiple ransomware strains

A new threat group is leveraging a relatively large network of malicious servers to distribute and manage multiple ransomware families including prolific ones such as ALPHV, Quantum, and Nokoyawa.

The group has been active since at least June 2022 and appears to have links to the operators of Cl0p, Play, Royal, and Cactus ransomware families as well, an analysis by Group-IB and other researchers has shown.

An Unusual RaaS Affiliate

Based on available evidence, the threat actor, which Group-IB is tracking as ShadowSyndicate, appears to be a ransomware-as-a-service (RaaS) affiliate, meaning it distributes ransomware authored by other RaaS operators in exchange for a portion of the ransom payment.

What makes ShadowSyndicate somewhat different from other affiliates is the number of ransomware families it has distributed over the past one year, says Eline Switzer, threat intelligence analyst at Group-IB. “At this stage, our hypothesis is that ShadowSyndicate is a RaaS affiliate, although this is one of several potential explanations for this malicious activity,” Switzer says. “The fact that several different ransomware families were used, especially within the course of a single year, is peculiar for a single affiliate, and we haven’t seen such examples of this in the past.”

Ransomware affiliates are often not as well known as the RaaS operators on whose behalf they distribute ransomware. But they have played a singular role in the proliferation of ransomware-as-a-service offerings such as REvil/Sodinokibi, Ryuk, Conti, Hive, DoppelPaymer, and Lockbit in recent years. While RaaS operators usually provide the malware payloads, supporting infrastructure, and sometimes even initial access, affiliates are often the ones responsible for distributing the malware, infecting networks, negotiating ransoms, and collecting payments. Major RaaS programs such as Lockbit can have tens, sometimes even hundreds, of affiliates carrying out attacks and distributing their malware.

But it’s rare for a single affiliate to stand out from the others in the manner that ShadowSyndicate has, and it is rarer for them to be so broad in scope. Group-IB’s assessment of the ShadowSyndicate operation, based largely on its analysis of publicly available information, for instance, showed the threat actor is using at least 85 servers in its attacks. To put that number in context, Switzer points to groups such as ALPHV, Hive, and Conti that use around 50 servers and operations such as Cl0p and Royal, which have over 100 servers.

To read the complete article, visit Dark Reading.

 

About the Author

Donny Jackson

Editor, Urgent Communications

Donny Jackson is director of content for Urgent Communications. Before joining UC in 2003, he covered telecommunications for four years as a freelance writer and as news editor for Telephony magazine. Prior to that, he worked for suburban newspapers in the Dallas area, serving as editor-in-chief for the Irving News and the Las Colinas Business News.

Subscribe to receive Urgent Communications Newsletters
Catch up on the latest tech, media, and telecoms news from across the critical communications community