We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

ShadowSyndicate Linked to Multiple Ransomware Families

ShadowSyndicate Linked to Multiple Ransomware Families
Author Image Zane Kennedy
Zane Kennedy Published on 8th October 2023 Cybersecurity Researcher

Recent investigations by cybersecurity experts have unveiled ShadowSyndicate, a clandestine cybercrime group that has been operational since July 16, 2022. Notably, this group is linked to deploying as many as seven distinct ransomware families over the past year. Formerly known as Infra Storm, the group's activities have raised alarm bells in the cybersecurity community.

Group-IB, Bridewell, and independent cybersecurity researcher Michael Koczwara have shed light on ShadowSyndicate's operations and affiliations in a collaborative report. Their findings connect ShadowSyndicate with multiple ransomware strains, including Quantum, Nokoyawa, BlackCat, Royal, Cl0p, Cactus, and Play.

What's equally concerning is the group's usage of advanced post-exploitation tools. Instruments such as Cobalt Strike and Sliver and malware like IcedID and Matanbuchus have been identified in their arsenal, suggesting a sophisticated modus operandi. Central to this revelation was a distinctive SSH fingerprint that linked the group with 85 servers. More than half of these servers functioned as command-and-control (C2) points for the Cobalt Strike tool.

The geographical spread of these servers adds another layer to the situation's complexity. Most of them are strategically placed, with privacy-friendly Panama hosting the majority. Other nations on the list include Cyprus, Russia, the Seychelles, and more.

Additional findings by the investigating agencies hinted that ShadowSyndicate was previously connected with renowned ransomware players TrickBot and Ryuk. While these gangs no longer exist, the researchers also observed that 12 IP addresses previously associated with Cl0p ransomware affiliates seem to have transitioned to ShadowSyndicate. Such overlaps suggest shared infrastructures and collaborations among these cybercrime entities.

This disclosure is timely, considering the rising global unease around ransomware attacks. The U.S. Department of Homeland Security recently spotlighted the evolving tactics of ransomware entities, with their report underscoring the innovation and persistence of these groups. U.S. agencies have also been flagging threats from another actor, Snatch, which has been targeting vital infrastructure with alarming frequency.

The repercussions are felt widely. Insurance claims pertaining to ransomware incidents have surged. The amount of money involved in ransom demands has also escalated dramatically.

As illustrated by this investigation, the cybersecurity landscape is in constant flux. With ransomware families like BlackCat, Cl0p, and LockBit continually evolving their strategies, the challenges for defense mechanisms intensify.

About the Author

Zane is a Cybersecurity Researcher and Writer at vpnMentor. His extensive experience in the tech and cybersecurity industries provides readers with accurate and trustworthy news stories and articles. He aims to help individuals protect themselves through informative content and awareness of cybersecurity's crucial role in today's digital landscape.