Cybersecurity experts have identified a new cybercrime group called ShadowSyndicate, previously known as Infra Storm. This group has been active since July 2022 and has been associated with multiple ransomware attacks, including Quantum, Nokoyawa, BlackCat, Royal, Cl0p, Cactus, and Play strains. They have also been using various hacking tools like Cobalt Strike, Sliver, IcedID, and Matanbuchus.
ShadowSyndicate’s activities have been detected through a unique SSH fingerprint on 85 servers, with 52 of them serving as command-and-control (C2) centers for Cobalt Strike. Interestingly, these servers contain eight different Cobalt Strike license keys.
The majority of these servers (23) are located in Panama, followed by Cyprus (11), Russia (9), Seychelles (8), Costa Rica (7), Czechia (7), Belize (6), Bulgaria (3), Honduras (3), and the Netherlands (3). Furthermore, ShadowSyndicate has been found to have connections with other cybercrime groups like TrickBot, Ryuk/Conti, FIN7, and TrueBot.
Additionally, there have been indications of some shared infrastructure between ShadowSyndicate and Cl0p ransomware affiliates. This suggests potential collaboration between these groups.
These groups are increasingly using multilevel extortion tactics, where they do not only encrypt and steal data but also threaten to publicly release it, employ DDoS attacks, or harass the victim’s customers to pressure them into paying ransoms.
Akira ransomware is another noteworthy player in the evolving threat landscape. It has expanded its reach from being a Windows-based threat to targeting Linux servers and VMWare ESXi virtual machines. As of mid-September, Akira has successfully attacked 110 victims in the U.S. and the U.K.
The resurgence of ransomware attacks has led to a spike in cyber insurance claims, with claims frequency increasing by 12% in the first half of the year in the U.S. Victims reported an average loss of over $365,000, marking a 61% increase from the second half of 2022. Larger businesses with over $100 million in revenue experienced the most significant increase in claims.
Lastly, despite the evolving threat landscape, recent statistics show a 20% decline in ransomware attacks in August 2023. This decline may be attributed to the potential reduction in Cl0p’s mass exploitation of the MOVEit Transfer application. However, the impact of previous attacks continues to grow, with over 2,120 organizations and more than 62 million individuals affected by the MOVEit hack as of September 26, 2023.
Ransomware groups like Lockbit, BlackCat, Cl0p, and others remain active and continue to target both small and large enterprises, particularly in the banking, retail, and transportation sectors. The number of active Ransomware-as-a-Service (RaaS) and RaaS-related groups has grown by 11.3% in 2023, reflecting the increasing prominence of ransomware as a criminal enterprise.
These groups employ techniques like “living-off-the-land” (LotL) to blend malicious activities with legitimate IT management tools, making detection and attribution more challenging.