Researchers Uncover RaaS Affiliate Distributing Multiple Ransomware Strains

Ransomware-as-a-service affiliate ShadowSyndicate is unusual for the size of its malicious infrastructure and the fact that its distributing seven different ransomware strains.

A new threat group is leveraging a relatively large network of malicious servers to distribute and manage multiple ransomware families including prolific ones such as ALPHV, Quantum, and Nokoyawa.
The group has been active since at least June 2022 and appears to have links to the operators of Cl0p, Play, Royal, and Cactus ransomware families as well, an analysis by Group-IB and other researchers has shown.
Based on available evidence, the threat actor, which Group-IB is tracking as
ShadowSyndicate
, appears to be a ransomware-as-a-service (RaaS) affiliate, meaning it distributes ransomware authored by other RaaS operators in exchange for a portion of the ransom payment.
What makes ShadowSyndicate somewhat different from other affiliates is the number of ransomware families it has distributed over the past one year, says Eline Switzer, threat intelligence analyst at Group-IB. At this stage, our hypothesis is that ShadowSyndicate is a RaaS affiliate, although this is one of several potential explanations for this malicious activity, Switzer says. The fact that several different ransomware families were used, especially within the course of a single year, is peculiar for a single affiliate, and we havent seen such examples of this in the past.
Ransomware affiliates are often not as well known as the RaaS operators on whose behalf they distribute ransomware. But they have played a singular role in the proliferation of ransomware-as-a-service offerings such as REvil/Sodinokibi, Ryuk, Conti, Hive, DoppelPaymer, and Lockbit in recent years. While RaaS operators usually
provide the malware payloads
, supporting infrastructure, and sometimes even initial access, affiliates are often the ones responsible for distributing the malware, infecting networks, negotiating ransoms, and collecting payments. Major RaaS programs such as Lockbit can have tens, sometimes even hundreds, of affiliates carrying out attacks and distributing their malware.
But its rare for a single affiliate to stand out from the others in the manner that ShadowSyndicate has, and it is rarer for them to be so broad in scope. Group-IBs assessment of the ShadowSyndicate operation, based largely on its analysis of publicly available information, for instance, showed the threat actor is using at least 85 servers in its attacks. To put that number in context, Switzer points to groups such as ALPHV, Hive, and Conti that use around 50 servers and operations such as Cl0p and Royal, which have over 100 servers.
ShadowSyndicates servers are located across different regions, though Panama appears to be the threat actors country of choice, Group-IB found. Some 52 of the systems with ShadowSyndicates Secure Shell (SSH) fingerprint are being used as Cobalt Strike command-and-control (C2) servers that allow the threat actor to manage and coordinate its malware campaign.
In addition to Cobalt Strike, Group-IB found that ShadowSyndicate is using other tools such as the Sliver and Meterpreter penetration testing tools, IcedID banking Trojan, and Matanbuchus, a malware loader, in carrying out its attacks. Group-IB was able to conclusively link ShadowSyndicates C2 servers to a series of Nokoyawa ransomware attacks in late 2022, a Quantum attack in September 2022, and with ALPHV, aka BlackCat ransomware, a month ago.
The company was able to establish similar links between ShadowSyndicates C2 and server infrastructure and other dangerous ransomware families such as Play, Royal, and Cl0p. Many of the ransomware attacks that Group-IB was able to link with ShadowSyndicates malicious infrastructure happened this year.
ShadowSyndciate presence in a space thats already crowded with a vast and
growing number of threat actors
is an indication of the continuing returns attackers are able to garner via ransomware attacks. A
new report from the NCC Group
this week showed the volume of ransomware attacks dipping slightly last month after hitting a peak in July. As expected, almost half the attacks (47%) targeted organizations in North America, with industrial, consumer, and technology sectors bearing the brunt. Lockbit 3.0 affiliates were responsible for 125 of the 390 attacks that NCC counted, marking a 150% month-over-month increase from July.
At the start of our research, we established five hypotheses about ShadowSyndicate that we set out to prove, Group-IB said. Among them were theories about ShadowSyndicate being a host of malicious servers for other threat actors or being an initial access broker or an RaaS affiliate. Although we have not reached a final verdict all the facts obtained during our research suggest that … ShadowSyndicate is a RaaS affiliate that uses various types of malware, Group-IB said.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Researchers Uncover RaaS Affiliate Distributing Multiple Ransomware Strains