What is ShadowSyndicate?
ShadowSyndicate, also known as Infra Storm, is a threat actor reportedly active since July 2022, working with various ransomware groups and affiliates of ransomware programs, such as Quantum, Nokoyawa, and ALPHV. This threat actor employs tools like Cobalt Strike, Sliver, IcedID, and Matanbuchus malware in its attacks. ShadowSyndicate utilizes the same SSH fingerprint (1ca4cbac895fc3bd12417b77fc6ed31d) on many of their servers—85 as of September 2023. At least 52 of these servers have been linked to the Cobalt Strike command and control (C2) framework [1].
What is RansomHub?
First observed following the FBI's takedown of ALPHV/BlackCat in December 2023, RansomHub quickly gained notoriety as a Ransomware-as-a-Service (RaaS) operator. RansomHub capitalized on the law enforcement’s disruption of the LockBit group’s operations in February 2024 to market themselves to potential affiliates who had previously relied on LockBit’s encryptors. RansomHub's success can be largely attributed to their aggressive recruitment on underground forums, leading to the absorption of ex-ALPHV and ex-LockBit affiliates. They were one of the most active ransomware operators in 2024, with approximately 500 victims reported since February, according to their Dedicated Leak Site (DLS) [2].
ShadowSyndicate and RansomHub
External researchers have reported that ShadowSyndicate had as many as seven different ransomware families in their arsenal between July 2022, and September 2023. Now, ShadowSyndicate appears to have added RansomHub’s their formidable stockpile, becoming an affiliate of the RaaS provider [1].
Darktrace’s analysis of ShadowSyndicate across its customer base indicates that the group has been leveraging RansomHub ransomware in multiple attacks in September and October 2024. ShadowSyndicate likely shifted to using RansomHub due to the lucrative rates offered by this RaaS provider, with affiliates receiving up to 90% of the ransom—significantly higher than the general market rate of 70-80% [3].
In many instances where encryption was observed, ransom notes with the naming pattern “README_[a-zA-Z0-9]{6}.txt” were written to affected devices. The content of these ransom notes threatened to release stolen confidential data via RansomHub’s DLS unless a ransom was paid. During these attacks, data exfiltration activity to external endpoints using the SSH protocol was observed. The external endpoints to which the data was transferred were found to coincide with servers previously associated with ShadowSyndicate activity.
Darktrace’s coverage of ShadowSyndicate and RansomHub
Darktrace’s Threat Research team identified high-confidence indicators of compromise (IoCs) linked to the ShadowSyndicate group deploying RansomHub. The investigation revealed four separate incidents impacting Darktrace customers across various sectors, including education, manufacturing, and social services. In the investigated cases, multiple stages of the kill chain were observed, starting with initial internal reconnaissance and leading to eventual file encryption and data exfiltration.
Attack Overview
Internal Reconnaissance
The first observed stage of ShadowSyndicate attacks involved devices making multiple internal connection attempts to other internal devices over key ports, suggesting network scanning and enumeration activity. In this initial phase of the attack, the threat actor gathers critical details and information by scanning the network for open ports that might be potentially exploitable. In cases observed by Darktrace affected devices were typically seen attempting to connect to other internal locations over TCP ports including 22, 445 and 3389.
C2 Communication and Data Exfiltration
In most of the RansomHub cases investigated by Darktrace, unusual connections to endpoints associated with Splashtop, a remote desktop access software, were observed briefly before outbound SSH connections were identified.
Following this, Darktrace detected outbound SSH connections to the external IP address 46.161.27[.]151 using WinSCP, an open-source SSH client for Windows used for secure file transfer. The Cybersecurity and Infrastructure Security Agency (CISA) identified this IP address as malicious and associated it with ShadowSyndicate’s C2 infrastructure [4]. During connections to this IP, multiple gigabytes of data were exfiltrated from customer networks via SSH.
Data exfiltration attempts were consistent across investigated cases; however, the method of egress varied from one attack to another, as one would expect with a RaaS strain being employed by different affiliates. In addition to transfers to ShadowSyndicate’s infrastructure, threat actors were also observed transferring data to the cloud storage and file transfer service, MEGA, via HTTP connections using the ‘rclone’ user agent – a command-line program used to manage files on cloud storage. In another case, data exfiltration activity occurred over port 443, utilizing SSL connections.
Lateral Movement
In investigated incidents, lateral movement activity began shortly after C2 communications were established. In one case, Darktrace identified the unusual use of a new administrative credential which was quickly followed up with multiple suspicious executable file writes to other internal devices on the network.
The filenames for this executable followed the regex naming convention “[a-zA-Z]{6}.exe”, with two observed examples being “bWqQUx.exe” and “sdtMfs.exe”.
Additionally, script files such as “Defeat-Defender2.bat”, “Share.bat”, and “def.bat” were also seen written over SMB, suggesting that threat actors were trying to evade network defenses and detection by antivirus software like Microsoft Defender.
File Encryption
Among the three cases where file encryption activity was observed, file names were changed by adding an extension following the regex format “.[a-zA-Z0-9]{6}”. Ransom notes with a similar naming convention, “README_[a-zA-Z0-9]{6}.txt”, were written to each share. While the content of the ransom notes differed slightly in each case, most contained similar text. Clear indicators in the body of the ransom notes pointed to the use of RansomHub ransomware in these attacks. As is increasingly the case, threat actors employed double extortion tactics, threatening to leak confidential data if the ransom was not paid. Like most ransomware, RansomHub included TOR site links for communication between its "customer service team" and the target.
Since Darktrace’s Autonomous Response capability was not enabled during the compromise, the ransomware attack succeeded in its objective. However, Darktrace’s Cyber AI Analyst provided comprehensive coverage of the kill chain, enabling the customer to quickly identify affected devices and initiate remediation.
In lieu of Autonomous Response being active on the networks, Darktrace was able to suggest a variety of manual response actions intended to contain the compromise and prevent further malicious activity. Had Autonomous Response been enabled at the time of the attack, these actions would have been quickly applied without any human interaction, potentially halting the ransomware attack earlier in the kill chain.
Conclusion
The Darktrace Threat Research team has noted a surge in attacks by the ShadowSyndicate group using RansomHub’s RaaS of late. RaaS has become increasingly popular across the threat landscape due to its ease of access to malware and script execution. As more individual threat actors adopt RaaS, security teams are struggling to defend against the increasing number of opportunistic attacks.
For customers subscribed to Darktrace’s Security Operations Center (SOC) services, the Analyst team promptly investigated detections of the aforementioned unusual and anomalous activities in the initial infection phases. Multiple alerts were raised via Darktrace’s Managed Threat Detection to warn customers of active ransomware incidents. By emphasizing anomaly-based detection and response, Darktrace can effectively identify devices affected by ransomware and take action against emerging activity, minimizing disruption and impact on customer networks.
Credit to Kwa Qing Hong (Senior Cyber Analyst and Deputy Analyst Team Lead, Singapore) and Signe Zahark (Principal Cyber Analyst, Japan)
[related-resource]
Appendices
Darktrace Model Detections
Antigena Models / Autonomous Response:
Antigena / Network / Insider Threat / Antigena Network Scan Block
Antigena / Network / Insider Threat / Antigena SMB Enumeration Block
Antigena / Network / Insider Threat / Antigena Internal Anomalous File Activity
Antigena / Network / Insider Threat / Antigena Large Data Volume Outbound Block
Antigena / Network / Significant Anomaly / Antigena Significant Anomaly from Client Block
Antigena / Network / Significant Anomaly / Antigena Breaches Over Time Block
Antigena / Network / Significant Anomaly / Antigena Controlled and Model Breach
Antigena / Network / Significant Anomaly / Antigena Significant Server Anomaly Block
Antigena / Network / Significant Anomaly / Antigena Enhanced Monitoring from Server Block
Antigena / Network / External Threat / Antigena Suspicious Activity Block
Antigena / Network / External Threat / Antigena Suspicious File Pattern of Life Block
Antigena / Network / External Threat / Antigena File then New Outbound Block
Network Reconnaissance:
Device / Network Scan
Device / ICMP Address Scan
Device / RDP Scan
Device / Anomalous LDAP Root Searches
Anomalous Connection / SMB Enumeration
Device / Spike in LDAP Activity
C2:
Enhanced Monitoring - Device / Lateral Movement and C2 Activity
Enhanced Monitoring - Device / Initial Breach Chain Compromise
Enhanced Monitoring - Compromise / Suspicious File and C2
Compliance / Remote Management Tool On Server
Anomalous Connection / Outbound SSH to Unusual Port
External Data Transfer:
Enhanced Monitoring - Unusual Activity / Enhanced Unusual External Data Transfer
Unusual Activity / Unusual External Data Transfer
Anomalous Connection / Data Sent to Rare Domain
Unusual Activity / Unusual External Data to New Endpoint
Compliance / SSH to Rare External Destination
Anomalous Connection / Application Protocol on Uncommon Port
Enhanced Monitoring - Anomalous File / Numeric File Download
Anomalous File / New User Agent Followed By Numeric File Download
Anomalous Server Activity / Outgoing from Server
Device / Large Number of Connections to New Endpoints
Anomalous Connection / Multiple HTTP POSTs to Rare Hostname
Anomalous Connection / Uncommon 1 GiB Outbound
Lateral Movement:
User / New Admin Credentials on Server
Anomalous Connection / New or Uncommon Service Control
Anomalous Connection / High Volume of New or Uncommon Service Control
Anomalous File / Internal / Executable Uploaded to DC
Anomalous Connection / Suspicious Activity On High Risk Device
File Encryption:
Compliance / SMB Drive Write
Anomalous File / Internal / Additional Extension Appended to SMB File
Compromise / Ransomware / Possible Ransom Note Write
Anomalous Connection / Suspicious Read Write Ratio
List of Indicators of Compromise (IoCs)
IoC - Type - Description + Confidence
83.97.73[.]198 - IP - Data exfiltration endpoint
108.181.182[.]143 - IP - Data exfiltration endpoint
46.161.27[.]151 - IP - Data exfiltration endpoint
185.65.212[.]164 - IP - Data exfiltration endpoint
66[.]203.125.21 - IP - MEGA endpoint used for data exfiltration
89[.]44.168.207 - IP - MEGA endpoint used for data exfiltration
185[.]206.24.31 - IP - MEGA endpoint used for data exfiltration
31[.]216.148.33 - IP - MEGA endpoint used for data exfiltration
104.226.39[.]18 - IP - C2 endpoint
103.253.40[.]87 - IP - C2 endpoint
*.relay.splashtop[.]com - Hostname - C2 & data exfiltration endpoint
gfs***n***.userstorage.mega[.]co.nz - Hostname - MEGA endpoint used for data exfiltration
w.api.mega[.]co.nz - Hostname - MEGA endpoint used for data exfiltration
ams-rb9a-ss.ams.efscloud[.]net - Hostname - Data exfiltration endpoint
MITRE ATT&CK Mapping
Tactic - Technqiue
RECONNAISSANCE – T1592.004 Client Configurations
RECONNAISSANCE – T1590.005 IP Addresses
RECONNAISSANCE – T1595.001 Scanning IP Blocks
RECONNAISSANCE – T1595.002 Vulnerability Scanning
DISCOVERY – T1046 Network Service Scanning
DISCOVERY – T1018 Remote System Discovery
DISCOVERY – T1083 File and Directory Discovery
INITIAL ACCESS - T1189 Drive-by Compromise
INITIAL ACCESS - T1190 Exploit Public-Facing Application
COMMAND AND CONTROL - T1001 Data Obfuscation
COMMAND AND CONTROL - T1071 Application Layer Protocol
COMMAND AND CONTROL - T1071.001 Web Protocols
COMMAND AND CONTROL - T1573.001 Symmetric Cryptography
COMMAND AND CONTROL - T1571 Non-Standard Port
DEFENSE EVASION – T1078 Valid Accounts
DEFENSE EVASION – T1550.002 Pass the Hash
LATERAL MOVEMENT - T1021.004 SSH
LATERAL MOVEMENT – T1080 Taint Shared Content
LATERAL MOVEMENT – T1570 Lateral Tool Transfer
LATERAL MOVEMENT – T1021.002 SMB/Windows Admin Shares
COLLECTION - T1185 Man in the Browser
EXFILTRATION - T1041 Exfiltration Over C2 Channel
EXFILTRATION - T1567.002 Exfiltration to Cloud Storage
EXFILTRATION - T1029 Scheduled Transfer
IMPACT – T1486 Data Encrypted for Impact
References
1. https://www.group-ib.com/blog/shadowsyndicate-raas/
3. https://cyberint.com/blog/research/ransomhub-the-new-kid-on-the-block-to-know/
4. https://www.cisa.gov/sites/default/files/2024-05/AA24-131A.stix_.xml
Get the latest insights on emerging cyber threats
This report explores the latest trends shaping the cybersecurity landscape and what defenders need to know in 2025.
.avif)
![Actions taken by Darktrace’s Autonomous Response to block connections to the suspicious external endpoint 23.95.123[.]5. This event log shows that the connections to 23.95.123[.]5 were made over a rare destination port for the HTTP protocol and that new user agents were used during the connections.](https://cdn.prod.website-files.com/626ff4d25aca2edf4325ff97/685069596b6d07de173a8b51_Screenshot%202025-06-16%20at%2011.58.25%E2%80%AFAM.png)
