Blog
/

Inside the SOC

/
September 21, 2023

How Darktrace Detected Black Basta Ransomware

Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
21
Sep 2023
Discover how Darktrace uncovered Black Basta ransomware. Learn about its tactics, techniques, and how to protect your network from this threat.

What is Black Basta?

Over the past year, security researchers have been tracking a new ransomware group, known as Black Basta, that has been observed targeted organizations worldwide to deploy double extortion ransomware attacks since early 2022. While the strain and group are purportedly new, evidence seen suggests they are an offshoot of the Conti ransomware group [1].

The group behind Black Basta run a Ransomware as a Service (RaaS) model. They work with initial access brokers who will typically already have a foothold in company infrastructure to begin their attacks. Once inside a network, they then pivot internally using numerous tools to further their attack.

Black Basta Ransomware

Like many other ransomware actors, Black Basta uses double extortion as part of its modus operandi, exfiltrating sensitive company data and using the publication of this as a second threat to affected companies. This is also advertised on a dark web site, setup by the group to apply further pressure for affected companies to make ransom payments and avoid reputational damage.

The group also seems to regularly take advantage of existing tools to undertake the earlier stages of their attacks. Notably, the Qakbot banking trojan, seems to be the malware often used to gain an initial foothold within compromised environments.

Analysis of the tools, procedures and infrastructure used by Black Basta belies a maturity to the actors behind the ransomware. Their models and practices suggest those involved are experienced individuals, and security researchers have drawn possible links to the Conti ransomware group.

As such, Black Basta is a particular concern for security teams as attacks will likely be more sophisticated, with attackers more patient and able to lie low on digital estates for longer, waiting for the opportune moment to strike.

Cyber security is an infinite game where defender and attacker are stuck as cat and mouse; as new attacks evolve, security vendors and teams respond to the new indicators of compromise (IoCs), and update their existing rulesets and lists. As a result, attackers are forced to change their stripes to evade detection or sometimes even readjust their targets and end goals.

Anomaly Based Detection

By using the power of Darktrace’s Self-Learning AI, security teams are able to detect deviations in behavior. Threat actors need to move through the kill chain to achieve their aims, and in doing so will cause affected devices within networks to deviate from their expected pattern of life. Darktrace’s anomaly-based approach to threat detection allows it recognize these subtle deviations that indicate the presence of an attacker, and stop them in their tracks.

Additionally, the ecosystem of cyber criminals has matured in the last few decades. It is well documented how many groups now operate akin to legitimate companies, with structure, departments and governance. As such, while new attack methods and tactics do appear in the wild, the maturity in their business models belie the experience of those behind the attack.

As attackers grow their business models and develop their arsenal of attack vectors, it becomes even more critical for security teams to remain vigilant to anomalies within networks, and remain agnostic to underlying IoCs and instead adopt anomaly detection tools able to identify tactics, techniques, and procedures (TTPs) that indicate attackers may be moving through a network, ahead of deployment of ransomware and data encryption.

Darktrace’s Coverage of Black Basta

In April 2023, the Darktrace Security Operations Center (SOC) assisted a customer in triaging and responding to an ongoing ransomware infection on their network. On a Saturday, the customer reached out directly to the Darktrace analyst team via the Ask the Expert service for support after they observed encrypted files and locked administrative accounts on their network. The analyst team were able to investigate and clarify the attack path, identifying affected devices and assisting the customer with their remediation. Darktrace DETECT™ observed varying IoCs and TTPs throughout the course of this attack’s kill chain; subsequent analysis into these indicators revealed this had likely been a case of Black Basta seen in the wild.

Initial Intrusion

The methods used by the  group to gain an initial foothold in environments varies – sometimes using phishing, sometimes gaining access through a common vulnerability exposed to the internet. Black Basta actors appear to target specific organizations, as opposed to some groups who aim to hit multiple at once in a more opportunistic fashion.

In the case of the Darktrace customer likely affected by Black Basta, it is probable that the initial intrusion was out of scope. It may be that the path was via a phishing email containing an Microsoft Excel spreadsheet that launches malicious powershell commands; a noted technique for Black Basta. [3][4]  Alternatively, the group may have worked with access brokers who already had a foothold within the customer’s network.

One particular device on the network was observed acting anomalously and was possibly the first to be infected. The device attempted to connect to multiple internal devices over SMB, and connected to a server that was later found to be compromised and is described throughout the course of this blog. During this connection, it wrote a file over SMB, “syncro.exe”, which is possibly a legitimate Remote Management software but could in theory be used to spread an infection laterally. Use of this tool otherwise appears sporadic for the network, and was notably unusual for the environment.

Given these timings, it is possible this activity is related to the likely Black Basta compromise. However, there is some evidence online that use of Syncro has been seen installed as part of the execution of loaders such as Batloader, potentially indicating a separate or concurrent attack [5].

Internal Reconnaissance + Lateral Movement

However the attackers gained access in this instance, the first suspicious activity observed by Darktrace originated from an infected server. The attacker used their foothold in the device to perform internal reconnaissance, enumerating large portions of the network. Darktrace DETECT’s anomaly detection noted a distinct rise in connections to a large number of subnets, particularly to closed ports associated with native Windows services, including:

  • 135 (RPC)
  • 139 (NetBIOS)
  • 445 (SMB)
  • 3389 (RDP)

During the enumeration, SMB connections were observed during which suspiciously named executable files were written:

  • delete.me
  • covet.me

Data Staging and Exfiltration

Around 4 hours after the scanning activity, the attackers used their knowledge gained during enumeration about the environment to begin gathering and staging data for their double extortion attempts. Darktrace observed the same infected server connecting to a file storage server, and downloading over 300 GiB of data. Darktrace DETECT identified that the connections had been made via SMB and was able to present a list of filenames to the customer, allowing their security team to determine the data that had likely been exposed to the attackers.

The SMB paths detected by Darktrace showed a range of departments’ file areas being accessed by threat actors. This suggests they were interested in getting as much varied data as possible, presumably in an attempt to ensure a large amount of valuable information was at their disposal to make any threats of releasing them more credible, and more damaging to the company.

Shortly after the download, the device made an external connection over SSH to a rare domain, dataspt[.]com, hosted in the United States. The connection itself was made over an unusual port, 2022, and Darktrace recognized that the domain was new for the network.

During this upload, the threat actors uploaded a similar volume of data to the 300GiB that had been downloaded internally earlier. Darktrace flagged the usual elements of this external upload, making the identification and triage of this exfiltration attempt easier for the customer.

On top of this, Darktrace’s autonomous investigation tool Cyber AI Analyst™ launched an investigation into this on-going activity and was able to link the external upload events to the internal download, identifying them as one exfiltration incident rather than two isolated events. AI Analyst then provided a detailed summary of the activity detected, further speeding up the identification of affected files.

Preparing for Exploitation

All the activity documented so far had occurred on a Wednesday evening. It was at this point that the burst of activity calmed, and the ransomware lay in wait within the environment. Other devices around the network, particularly those connected to by the original infected server and a domain controller, were observed performing some elements of anomalous activity, but the attack seemed to largely take a pause.

However, on the Saturday morning, 3 days later, the compromised server began to change the way it communicated with attackers by reaching out to a new command and control (C2) endpoint. It seemed that attackers were gearing up for their attack, taking advantage of the weekend to strike while security teams often run with a reduced staffing.

Darktrace identified connections to a new endpoint within 4 minutes of it first being seen on the customer’s environment. The server had begun making repeated SSL connections to the new external endpoint, faceappinc[.]com, which has been flagged as malicious by various open-source intelligence (OSINT) sources.

The observed JA3 hash (d0ec4b50a944b182fc10ff51f883ccf7) suggests that the command-line tool BITS Admin was being used to launch these connections, another suggestion of the use of mature tooling.

In addition to this, Darktrace also detected the server using an administrative credential it had never previously been associated with. Darktrace recognized that the use of this credential represented a deviation from the device’s usual activity and thus could be indicative of compromise.

The server then proceeded to use the new credential to authenticate over Keberos before writing a malicious file (“management.exe”) to the Temp directory on a number of internal devices.

Encryption

At this point, the number of anomalous activities detected from the server increased massively as the attacker seems to connect networkwide in an attempt to cause as quick and destructive an encryption effort as possible. Darktrace observed numerous files that had been encrypted by a local process. The compromised server began to write ransom notes, named “instructions_read_me.txt” to other file servers, which presumably also had successfully deployed payloads. While Black Basta actors had initially been observed dropping ransom notes named “readme.txt”, security researchers have since observed and reported an updated variant of the ransomware that drops “instructions_read_me_.txt”, the name of the file detected by Darktrace, instead [6].

Another server was also observed making repeated SSL connections to the same rare external endpoint, faceappinc[.]com. Shortly after beginning these connections, the device made an HTTP connection to a rare IP address with no hostname, 212.118.55[.]211. During this connection, the device also downloaded a suspicious executable file, cal[.]linux. OSINT research linked the hash of this file to a Black Basta Executable and Linkable File (ELF) variant, indicating that the group was highly likely behind this ransomware attack.

Of particular interest again, is how the attacker lives off the land, utilizing pre-installed Windows services. Darktrace flagged that the server was observed using PsExec, a remote management executable, on multiple devices.

Darktrace Assistance

Darktrace DETECT was able to clearly detect and provide visibility over all stages of the ransomware attack, alerting the customer with multiple model breaches and AI Analyst investigation(s) and highlighting suspicious activity throughout the course of the attack.

For example, the exfiltration of sensitive data was flagged for a number of anomalous features of the meta-data: volume; rarity of the endpoint; port and protocol used.

In total, the portion of the attack observed by Darktrace lasted about 4 days from the first model breach until the ransomware was deployed. In particular, the encryption itself was initiated on a Saturday.

The encryption event itself was initiated on a Saturday, which is not uncommon as threat actors tend to launch their destructive attacks when they expect security teams will be at their lowest capacity. The Darktrace SOC team regularly observes and assists in customer’s in the face of ransomware actors who patiently lie in wait. Attackers often choose to strike as security teams run on reduced hours of manpower, sometimes even choosing to deploy ahead of longer breaks for national or public holidays, for example.

In this case, the customer contacted Darktrace directly through the Ask the Expert (ATE) service. ATE offers customers around the clock access to Darktrace’s team of expert analysts. Customers who subscribe to ATE are able to send queries directly to the analyst team if they are in need of assistance in the face of suspicious network activity or emerging attacks.

In this example, Darktrace’s team of expert analysts worked in tandem with Cyber AI Analyst to investigate the ongoing compromise, ensuring that the investigation and response process were completed as quickly and efficiently as possible.

Thanks to Darktrace’s Self-Learning AI, the analyst team were able to quickly produce a detailed report enumerating the timeline of events. By combining the human expertise of the analyst team and the machine learning capabilities of AI Analyst, Darktrace was able to quickly identify anomalous activity being performed and the affected devices. AI Analyst was then able to collate and present this information into a comprehensive and digestible report for the customer to consult.

Conclusion

It is likely that this ransomware attack was undertaken by the Black Basta group, or at least using tools related to their method. Although Black Basta itself is a relatively novel ransomware strain, there is a maturity and sophistication to its tactics. This indicates that this new group are actually experienced threat actors, with evidence pointing towards it being an offshoot of Conti.

The Pyramid of Pain is a well trodden model in cyber security, but it can help us understand the various features of an attack. Indicators like static C2 destinations or file hashes can easily be changed, but it’s the underlying TTPs that remain the same between attacks.

In this case, the attackers used living off the land techniques, making use of tools such as BITSAdmin, as well as using tried and tested malware such as Qakbot. While the domains and IPs involved will change, the way these malware interact and move about systems remains the same. Their fingerprint therefore causes very similar anomalies in network traffic, and this is where the strength of Darktrace lies.

Darktrace’s anomaly-based approach to threat detection means that these new attack types are quickly drawn out of the noise of everyday traffic within an environment. Once attackers have gained a foothold in a network, they will have to cause deviation from the usual pattern of a life on a network to proceed; Darktrace is uniquely placed to detect even the most subtle changes in a device’s behavior that could be indicative of an emerging threat.

Machine learning can act as a force multiplier for security teams. Working hand in hand with the Darktrace SOC, the customer was able to generate cohesive and comprehensive reporting on the attack path within days. This would be a feat for humans alone, requiring significant resources and time, but with the power of Darktrace’s Self-Learning AI, these deep and complex analyses become as easy as the click of a button.

Credit to: Matthew John, Director of Operations, SOC, Paul Jennings, Principal Analyst Consultant

Appendices

Darktrace DETECT Model Breaches

Internal Reconnaissance

Device / Multiple Lateral Movement Model Breaches

Device / Large Number of Model Breaches

Device / Network Scan

Device / Anomalous RDP Followed by Multiple Model Breaches

Device / Possible SMB/NTLM Reconnaissance

Device / SMB Lateral Movement

Anomalous Connection / SMB Enumeration

Anomalous Connection / Possible Share Enumeration Activity

Device / Suspicious SMB Scanning Activity

Device / RDP Scan

Anomalous Connection / Active Remote Desktop Tunnel

Device / Increase in New RPC Services

Device / ICMP Address Scan

Download and Upload

Unusual Activity / Enhanced Unusual External Data Transfer

Unusual Activity / Unusual External Data Transfer

Anomalous Connection / Uncommon 1 GiB Outbound

Anomalous Connection / Data Sent to Rare Domain

Anomalous Connection / Download and Upload

Compliance / SSH to Rare External Destination

Anomalous Server Activity / Rare External from Server

Anomalous Server Activity / Outgoing from Server

Anomalous Connection / Application Protocol on Uncommon Port

Anomalous Connection / Multiple Connections to New External TCP Port

Device / Anomalous SMB Followed By Multiple Model Breaches

Unusual Activity / SMB Access Failures

Lateral Movement and Encryption

User / New Admin Credentials on Server

Compliance / SMB Drive Write

Device / Anomalous RDP Followed By Multiple Model Breaches

Anomalous Connection / High Volume of New or Uncommon Service Control

Anomalous Connection / New or Uncommon Service Control

Device / New or Unusual Remote Command Execution

Anomalous Connection / SMB Enumeration

Additional Beaconing and Tooling

Device / Initial Breach Chain Compromise

Device / Multiple C2 Model Breaches

Compromise / Large Number of Suspicious Failed Connections

Compromise / Sustained SSL or HTTP Increase

Compromise / SSL or HTTP Beacon

Compromise / Suspicious Beaconing Behavior

Compromise / Large Number of Suspicious Successful Connections

Compromise / High Volume of Connections with Beacon Score

Compromise / Slow Beaconing Activity To External Rare

Compromise / SSL Beaconing to Rare Destination

Compromise / Beaconing Activity To External Rare

Compromise / Beacon to Young Endpoint

Compromise / Agent Beacon to New Endpoint

Anomalous Server Activity / Rare External from Server

Anomalous Connection / Multiple Failed Connections to Rare Endpoint

Anomalous File / EXE from Rare External Location

IoC - Type - Description + Confidence

dataspt[.]com - Hostname - Highly Likely Exfiltration Server

46.22.211[.]151:2022 - IP Address and Unusual Port - Highly Likely Exfiltration Server

faceappinc[.]com - Hostname - Likely C2 Infrastructure

Instructions_read_me.txt - Filename - Almost Certain Ransom Note

212.118.55[.]211 - IP Address - Likely C2 Infrastructure

delete[.]me - Filename - Potential lateral movement script

covet[.]me - Filename - Potential lateral movement script

d0ec4b50a944b182fc10ff51f883ccf7 - JA3 Client Fingerprint - Potential Windows BITS C2 Process

/download/cal.linux - URI - Likely BlackBasta executable file

1f4dcfa562f218fcd793c1c384c3006e460213a8 - Sha1 File Hash - Likely BlackBasta executable file

References

[1] https://blogs.blackberry.com/en/2022/05/black-basta-rebrand-of-conti-or-something-new

[2] https://www.cybereason.com/blog/threat-alert-aggressive-qakbot-campaign-and-the-black-basta-ransomware-group-targeting-u.s.-companies

[3] https://www.trendmicro.com/en_us/research/22/e/examining-the-black-basta-ransomwares-infection-routine.html

[4] https://unit42.paloaltonetworks.com/atoms/blackbasta-ransomware/

[5] https://www.trendmicro.com/en_gb/research/23/a/batloader-malware-abuses-legitimate-tools-uses-obfuscated-javasc.html

[6] https://www.pcrisk.com/removal-guides/23666-black-basta-ransomware

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Author
Matthew John
Director of Operations, SOC
Book a 1-1 meeting with one of our experts
Share this article

More in this series

No items found.

Blog

/

January 16, 2025

/
No items found.

Reimagining Your SOC: How to Achieve Proactive Network Security

Default blog imageDefault blog image

Introduction: Challenges and solutions to SOC efficiency

For Security Operation Centers (SOCs), reliance on signature or rule-based tools – solutions that are always chasing the latest update to prevent only what is already known – creates an excess of false positives. SOC analysts are therefore overwhelmed by a high volume of context-lacking alerts, with human analysts able to address only about 10% due to time and resource constraints. This forces many teams to accept the risks of addressing only a fraction of the alerts while novel threats go completely missed.

74% of practitioners are already grappling with the impact of an AI-powered threat landscape, which amplifies challenges like tool sprawl, alert fatigue, and burnout. Thus, achieving a resilient network, where SOC teams can spend most of their time getting proactive and stopping threats before they occur, feels like an unrealistic goal as attacks are growing more frequent.

Despite advancements in security technology (advanced detection systems with AI, XDR tools, SIEM aggregators, etc...), practitioners are still facing the same issues of inefficiency in their SOC, stopping them from becoming proactive. How can they select security solutions that help them achieve a proactive state without dedicating more human hours and resources to managing and triaging alerts, tuning rules, investigating false positives, and creating reports?

To overcome these obstacles, organizations must leverage security technology that is able to augment and support their teams. This can happen in the following ways:

  1. Full visibility across the modern network expanding into hybrid environments
  2. Have tools that identifies and stops novel threats autonomously, without causing downtime
  3. Apply AI-led analysis to reduce time spent on manual triage and investigation

Your current solutions might be holding you back

Traditional cybersecurity point solutions are reliant on using global threat intelligence to pattern match, determine signatures, and consequently are chasing the latest update to prevent only what is known. This means that unknown threats will evade detection until a patient zero is identified. This legacy approach to threat detection means that at least one organization needs to be ‘patient zero’, or the first victim of a novel attack before it is formally identified.

Even the point solutions that claim to use AI to enhance threat detection rely on a combination of supervised machine learning, deep learning, and transformers to

train and inform their systems. This entails shipping your company’s data out to a large data lake housed somewhere in the cloud where it gets blended with attack data from thousands of other organizations. The resulting homogenized dataset gets used to train AI systems — yours and everyone else’s — to recognize patterns of attack based on previously encountered threats.

While using AI in this way reduces the workload of security teams who would traditionally input this data by hand, it emanates the same risk – namely, that AI systems trained on known threats cannot deal with the threats of tomorrow. Ultimately, it is the unknown threats that bring down an organization.

The promise and pitfalls of XDR in today's threat landscape

Enter Extended Detection and Response (XDR): a platform approach aimed at unifying threat detection across the digital environment. XDR was developed to address the limitations of traditional, fragmented tools by stitching together data across domains, providing SOC teams with a more cohesive, enterprise-wide view of threats. This unified approach allows for improved detection of suspicious activities that might otherwise be missed in siloed systems.

However, XDR solutions still face key challenges: they often depend heavily on human validation, which can aggravate the already alarmingly high alert fatigue security analysts experience, and they remain largely reactive, focusing on detecting and responding to threats rather than helping prevent them. Additionally, XDR frequently lacks full domain coverage, relying on EDR as a foundation and are insufficient in providing native NDR capabilities and visibility, leaving critical gaps that attackers can exploit. This is reflected in the current security market, with 57% of organizations reporting that they plan to integrate network security products into their current XDR toolset[1].

Why settling is risky and how to unlock SOC efficiency

The result of these shortcomings within the security solutions market is an acceptance of inevitable risk. From false positives driving the barrage of alerts, to the siloed tooling that requires manual integration, and the lack of multi-domain visibility requiring human intervention for business context, security teams have accepted that not all alerts can be triaged or investigated.

While prioritization and processes have improved, the SOC is operating under a model that is overrun with alerts that lack context, meaning that not all of them can be investigated because there is simply too much for humans to parse through. Thus, teams accept the risk of leaving many alerts uninvestigated, rather than finding a solution to eliminate that risk altogether.

Darktrace / NETWORK is designed for your Security Operations Center to eliminate alert triage with AI-led investigations , and rapidly detect and respond to known and unknown threats. This includes the ability to scale into other environments in your infrastructure including cloud, OT, and more.

Beyond global threat intelligence: Self-Learning AI enables novel threat detection & response

Darktrace does not rely on known malware signatures, external threat intelligence, historical attack data, nor does it rely on threat trained machine learning to identify threats.

Darktrace’s unique Self-learning AI deeply understands your business environment by analyzing trillions of real-time events that understands your normal ‘pattern of life’, unique to your business. By connecting isolated incidents across your business, including third party alerts and telemetry, Darktrace / NETWORK uses anomaly chains to identify deviations from normal activity.

The benefit to this is that when we are not predefining what we are looking for, we can spot new threats, allowing end users to identify both known threats and subtle, never-before-seen indicators of malicious activity that traditional solutions may miss if they are only looking at historical attack data.

AI-led investigations empower your SOC to prioritize what matters

Anomaly detection is often criticized for yielding high false positives, as it flags deviations from expected patterns that may not necessarily indicate a real threat or issues. However, Darktrace applies an investigation engine to automate alert triage and address alert fatigue.

Darktrace’s Cyber AI Analyst revolutionizes security operations by conducting continuous, full investigations across Darktrace and third-party alerts, transforming the alert triage process. Instead of addressing only a fraction of the thousands of daily alerts, Cyber AI Analyst automatically investigates every relevant alert, freeing up your team to focus on high-priority incidents and close security gaps.

Powered by advanced machine-learning techniques, including unsupervised learning, models trained by expert analysts, and tailored security language models, Cyber AI Analyst emulates human investigation skills, testing hypotheses, analyzing data, and drawing conclusions. According to Darktrace Internal Research, Cyber AI Analyst typically provides a SOC with up to  50,000 additional hours of Level 2 analysis and written reporting annually, enriching security operations by producing high level incident alerts with full details so that human analysts can focus on Level 3 tasks.

Containing threats with Autonomous Response

Simply quarantining a device is rarely the best course of action - organizations need to be able to maintain normal operations in the face of threats and choose the right course of action. Different organizations also require tailored response functions because they have different standards and protocols across a variety of unique devices. Ultimately, a ‘one size fits all’ approach to automated response actions puts organizations at risk of disrupting business operations.

Darktrace’s Autonomous Response tailors its actions to contain abnormal behavior across users and digital assets by understanding what is normal and stopping only what is not. Unlike blanket quarantines, it delivers a bespoke approach, blocking malicious activities that deviate from regular patterns while ensuring legitimate business operations remain uninterrupted.

Darktrace offers fully customizable response actions, seamlessly integrating with your workflows through hundreds of native integrations and an open API. It eliminates the need for costly development, natively disarming threats in seconds while extending capabilities with third-party tools like firewalls, EDR, SOAR, and ITSM solutions.

Unlocking a proactive state of security

Securing the network isn’t just about responding to incidents — it’s about being proactive, adaptive, and prepared for the unexpected. The NIST Cybersecurity Framework (CSF 2.0) emphasizes this by highlighting the need for focused risk management, continuous incident response (IR) refinement, and seamless integration of these processes with your detection and response capabilities.

Despite advancements in security technology, achieving a proactive posture is still a challenge to overcome because SOC teams face inefficiencies from reliance on pattern-matching tools, which generate excessive false positives and leave many alerts unaddressed, while novel threats go undetected. If SOC teams are spending all their time investigating alerts then there is no time spent getting ahead of attacks.

Achieving proactive network resilience — a state where organizations can confidently address challenges at every stage of their security posture — requires strategically aligned solutions that work seamlessly together across the attack lifecycle.

References

1.       Market Guide for Extended Detection and Response, Gartner, 17thAugust 2023 - ID G00761828

Continue reading
About the author
Mikey Anderson
Product Manager, Network Detection & Response

Blog

/

January 15, 2025

/

Ransomware

RansomHub Ransomware: Darktrace’s Investigation of the Newest Tool in ShadowSyndicate's Arsenal

Default blog imageDefault blog image

What is ShadowSyndicate?

ShadowSyndicate, also known as Infra Storm, is a threat actor reportedly active since July 2022, working with various ransomware groups and affiliates of ransomware programs, such as Quantum, Nokoyawa, and ALPHV. This threat actor employs tools like Cobalt Strike, Sliver, IcedID, and Matanbuchus malware in its attacks. ShadowSyndicate utilizes the same SSH fingerprint (1ca4cbac895fc3bd12417b77fc6ed31d) on many of their servers—85 as of September 2023. At least 52 of these servers have been linked to the Cobalt Strike command and control (C2) framework [1].

What is RansomHub?

First observed following the FBI's takedown of ALPHV/BlackCat in December 2023, RansomHub quickly gained notoriety as a Ransomware-as-a-Service (RaaS) operator. RansomHub capitalized on the law enforcement’s disruption of the LockBit group’s operations in February 2024 to market themselves to potential affiliates who had previously relied on LockBit’s encryptors. RansomHub's success can be largely attributed to their aggressive recruitment on underground forums, leading to the absorption of ex-ALPHV and ex-LockBit affiliates. They were one of the most active ransomware operators in 2024, with approximately 500 victims reported since February, according to their Dedicated Leak Site (DLS) [2].

ShadowSyndicate and RansomHub

External researchers have reported that ShadowSyndicate had as many as seven different ransomware families in their arsenal between July 2022, and September 2023. Now, ShadowSyndicate appears to have added RansomHub’s their formidable stockpile, becoming an affiliate of the RaaS provider [1].

Darktrace’s analysis of ShadowSyndicate across its customer base indicates that the group has been leveraging RansomHub ransomware in multiple attacks in September and October 2024. ShadowSyndicate likely shifted to using RansomHub due to the lucrative rates offered by this RaaS provider, with affiliates receiving up to 90% of the ransom—significantly higher than the general market rate of 70-80% [3].

In many instances where encryption was observed, ransom notes with the naming pattern “README_[a-zA-Z0-9]{6}.txt” were written to affected devices. The content of these ransom notes threatened to release stolen confidential data via RansomHub’s DLS unless a ransom was paid. During these attacks, data exfiltration activity to external endpoints using the SSH protocol was observed. The external endpoints to which the data was transferred were found to coincide with servers previously associated with ShadowSyndicate activity.

Darktrace’s coverage of ShadowSyndicate and RansomHub

Darktrace’s Threat Research team identified high-confidence indicators of compromise (IoCs) linked to the ShadowSyndicate group deploying RansomHub. The investigation revealed four separate incidents impacting Darktrace customers across various sectors, including education, manufacturing, and social services. In the investigated cases, multiple stages of the kill chain were observed, starting with initial internal reconnaissance and leading to eventual file encryption and data exfiltration.

Attack Overview

Timeline attack overview of ransomhub ransomware

Internal Reconnaissance

The first observed stage of ShadowSyndicate attacks involved devices making multiple internal connection attempts to other internal devices over key ports, suggesting network scanning and enumeration activity. In this initial phase of the attack, the threat actor gathers critical details and information by scanning the network for open ports that might be potentially exploitable. In cases observed by Darktrace affected devices were typically seen attempting to connect to other internal locations over TCP ports including 22, 445 and 3389.

C2 Communication and Data Exfiltration

In most of the RansomHub cases investigated by Darktrace, unusual connections to endpoints associated with Splashtop, a remote desktop access software, were observed briefly before outbound SSH connections were identified.

Following this, Darktrace detected outbound SSH connections to the external IP address 46.161.27[.]151 using WinSCP, an open-source SSH client for Windows used for secure file transfer. The Cybersecurity and Infrastructure Security Agency (CISA) identified this IP address as malicious and associated it with ShadowSyndicate’s C2 infrastructure [4]. During connections to this IP, multiple gigabytes of data were exfiltrated from customer networks via SSH.

Data exfiltration attempts were consistent across investigated cases; however, the method of egress varied from one attack to another, as one would expect with a RaaS strain being employed by different affiliates. In addition to transfers to ShadowSyndicate’s infrastructure, threat actors were also observed transferring data to the cloud storage and file transfer service, MEGA, via HTTP connections using the ‘rclone’ user agent – a command-line program used to manage files on cloud storage. In another case, data exfiltration activity occurred over port 443, utilizing SSL connections.

Lateral Movement

In investigated incidents, lateral movement activity began shortly after C2 communications were established. In one case, Darktrace identified the unusual use of a new administrative credential which was quickly followed up with multiple suspicious executable file writes to other internal devices on the network.

The filenames for this executable followed the regex naming convention “[a-zA-Z]{6}.exe”, with two observed examples being “bWqQUx.exe” and “sdtMfs.exe”.

Cyber AI Analyst Investigation Process for the SMB Writes of Suspicious Files to Multiple Devices' incident.
Figure 1: Cyber AI Analyst Investigation Process for the SMB Writes of Suspicious Files to Multiple Devices' incident.

Additionally, script files such as “Defeat-Defender2.bat”, “Share.bat”, and “def.bat” were also seen written over SMB, suggesting that threat actors were trying to evade network defenses and detection by antivirus software like Microsoft Defender.

File Encryption

Among the three cases where file encryption activity was observed, file names were changed by adding an extension following the regex format “.[a-zA-Z0-9]{6}”. Ransom notes with a similar naming convention, “README_[a-zA-Z0-9]{6}.txt”, were written to each share. While the content of the ransom notes differed slightly in each case, most contained similar text. Clear indicators in the body of the ransom notes pointed to the use of RansomHub ransomware in these attacks. As is increasingly the case, threat actors employed double extortion tactics, threatening to leak confidential data if the ransom was not paid. Like most ransomware, RansomHub included TOR site links for communication between its "customer service team" and the target.

Figure 2: The graph shows the behavior of a device with encryption activity, using the “SMB Sustained Mimetype Conversion” and “Unusual Activity Events” metrics over three weeks.

Since Darktrace’s Autonomous Response capability was not enabled during the compromise, the ransomware attack succeeded in its objective. However, Darktrace’s Cyber AI Analyst provided comprehensive coverage of the kill chain, enabling the customer to quickly identify affected devices and initiate remediation.

Figure 3: Cyber AI Analyst panel showing the critical incidents of the affected device from one of the cases investigated.

In lieu of Autonomous Response being active on the networks, Darktrace was able to suggest a variety of manual response actions intended to contain the compromise and prevent further malicious activity. Had Autonomous Response been enabled at the time of the attack, these actions would have been quickly applied without any human interaction, potentially halting the ransomware attack earlier in the kill chain.

Figure 4: A list of suggested Autonomous Response actions on the affected devices."

Conclusion

The Darktrace Threat Research team has noted a surge in attacks by the ShadowSyndicate group using RansomHub’s RaaS of late. RaaS has become increasingly popular across the threat landscape due to its ease of access to malware and script execution. As more individual threat actors adopt RaaS, security teams are struggling to defend against the increasing number of opportunistic attacks.

For customers subscribed to Darktrace’s Security Operations Center (SOC) services, the Analyst team promptly investigated detections of the aforementioned unusual and anomalous activities in the initial infection phases. Multiple alerts were raised via Darktrace’s Managed Threat Detection to warn customers of active ransomware incidents. By emphasizing anomaly-based detection and response, Darktrace can effectively identify devices affected by ransomware and take action against emerging activity, minimizing disruption and impact on customer networks.

Credit to Kwa Qing Hong (Senior Cyber Analyst and Deputy Analyst Team Lead, Singapore) and Signe Zahark (Principal Cyber Analyst, Japan)

Appendices

Darktrace Model Detections

Antigena Models / Autonomous Response:

Antigena / Network / Insider Threat / Antigena Network Scan Block

Antigena / Network / Insider Threat / Antigena SMB Enumeration Block

Antigena / Network / Insider Threat / Antigena Internal Anomalous File Activity

Antigena / Network / Insider Threat / Antigena Large Data Volume Outbound Block

Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block

Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block

Antigena / Network / Significant Anomaly / Antigena Controlled and Model Breach

Antigena / Network / Significant Anomaly / Antigena Significant Server Anomaly Block

Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Server Block

Antigena / Network / External Threat / Antigena Suspicious Activity Block

Antigena / Network / External Threat / Antigena Suspicious File Pattern of Life Block

Antigena / Network / External Threat / Antigena File then New Outbound Block


Network Reconnaissance:

Device / Network Scan

Device / ICMP Address Scan

Device / RDP Scan
Device / Anomalous LDAP Root Searches
Anomalous Connection / SMB Enumeration
Device / Spike in LDAP Activity

C2:

Enhanced Monitoring - Device / Lateral Movement and C2 Activity

Enhanced Monitoring - Device / Initial Breach Chain Compromise

Enhanced Monitoring - Compromise / Suspicious File and C2

Compliance / Remote Management Tool On Server

Anomalous Connection / Outbound SSH to Unusual Port


External Data Transfer:

Enhanced Monitoring - Unusual Activity / Enhanced Unusual External Data Transfer

Unusual Activity / Unusual External Data Transfer

Anomalous Connection / Data Sent to Rare Domain

Unusual Activity / Unusual External Data to New Endpoint

Compliance / SSH to Rare External Destination

Anomalous Connection / Application Protocol on Uncommon Port

Enhanced Monitoring - Anomalous File / Numeric File Download

Anomalous File / New User Agent Followed By Numeric File Download

Anomalous Server Activity / Outgoing from Server

Device / Large Number of Connections to New Endpoints

Anomalous Connection / Multiple HTTP POSTs to Rare Hostname

Anomalous Connection / Uncommon 1 GiB Outbound

Lateral Movement:

User / New Admin Credentials on Server

Anomalous Connection / New or Uncommon Service Control

Anomalous Connection / High Volume of New or Uncommon Service Control

Anomalous File / Internal / Executable Uploaded to DC

Anomalous Connection / Suspicious Activity On High Risk Device

File Encryption:

Compliance / SMB Drive Write

Anomalous File / Internal / Additional Extension Appended to SMB File

Compromise / Ransomware / Possible Ransom Note Write

Anomalous Connection / Suspicious Read Write Ratio

List of Indicators of Compromise (IoCs)

IoC - Type - Description + Confidence

83.97.73[.]198 - IP - Data exfiltration endpoint

108.181.182[.]143 - IP - Data exfiltration endpoint

46.161.27[.]151 - IP - Data exfiltration endpoint

185.65.212[.]164 - IP - Data exfiltration endpoint

66[.]203.125.21 - IP - MEGA endpoint used for data exfiltration

89[.]44.168.207 - IP - MEGA endpoint used for data exfiltration

185[.]206.24.31 - IP - MEGA endpoint used for data exfiltration

31[.]216.148.33 - IP - MEGA endpoint used for data exfiltration

104.226.39[.]18 - IP - C2 endpoint

103.253.40[.]87 - IP - C2 endpoint

*.relay.splashtop[.]com - Hostname - C2 & data exfiltration endpoint

gfs***n***.userstorage.mega[.]co.nz - Hostname - MEGA endpoint used for data exfiltration

w.api.mega[.]co.nz - Hostname - MEGA endpoint used for data exfiltration

ams-rb9a-ss.ams.efscloud[.]net - Hostname - Data exfiltration endpoint

MITRE ATT&CK Mapping

Tactic - Technqiue

RECONNAISSANCE – T1592.004 Client Configurations

RECONNAISSANCE – T1590.005 IP Addresses

RECONNAISSANCE – T1595.001 Scanning IP Blocks

RECONNAISSANCE – T1595.002 Vulnerability Scanning

DISCOVERY – T1046 Network Service Scanning

DISCOVERY – T1018 Remote System Discovery

DISCOVERY – T1083 File and Directory Discovery
INITIAL ACCESS - T1189 Drive-by Compromise

INITIAL ACCESS - T1190 Exploit Public-Facing Application

COMMAND AND CONTROL - T1001 Data Obfuscation

COMMAND AND CONTROL - T1071 Application Layer Protocol

COMMAND AND CONTROL - T1071.001 Web Protocols

COMMAND AND CONTROL - T1573.001 Symmetric Cryptography

COMMAND AND CONTROL - T1571 Non-Standard Port

DEFENSE EVASION – T1078 Valid Accounts

DEFENSE EVASION – T1550.002 Pass the Hash

LATERAL MOVEMENT - T1021.004 SSH

LATERAL MOVEMENT – T1080 Taint Shared Content

LATERAL MOVEMENT – T1570 Lateral Tool Transfer

LATERAL MOVEMENT – T1021.002 SMB/Windows Admin Shares

COLLECTION - T1185 Man in the Browser

EXFILTRATION - T1041 Exfiltration Over C2 Channel

EXFILTRATION - T1567.002 Exfiltration to Cloud Storage

EXFILTRATION - T1029 Scheduled Transfer

IMPACT – T1486 Data Encrypted for Impact

References

1.     https://www.group-ib.com/blog/shadowsyndicate-raas/

2.     https://www.techtarget.com/searchsecurity/news/366617096/ESET-RansomHub-most-active-ransomware-group-in-H2-2024

3.     https://cyberint.com/blog/research/ransomhub-the-new-kid-on-the-block-to-know/

4.     https://www.cisa.gov/sites/default/files/2024-05/AA24-131A.stix_.xml

Continue reading
About the author
Qing Hong Kwa
Senior Cyber Analyst and Deputy Analyst Team Lead, Singapore
Your data. Our AI.
Elevate your network security with Darktrace AI