Halcyon published new
research that details novel techniques used to unmask a major Ransomware
Economy player that are assessed to be facilitating ransomware attacks
and state-sponsored APT operations: Command-and-Control Providers (C2P)
who sell services to threat actors while assuming a legal business
profile.
In this report, titled Cloudzy with a Chance of Ransomware: Unmasking Command-and-Control Providers (C2Ps),
Halcyon demonstrates a unique technique for identifying C2P entities
that can be used to forecast the precursors to major ransomware
campaigns and other advanced attacks significantly "left of boom."
Halcyon also identifies two new, previously undisclosed ransomware
affiliates Halcyon tracks as Ghost Clown and Space Kook that currently
deploy BlackBasta and Royal, respectively. Halcyon's research and
engineering team used the same method to link the two ransomware
affiliates to the same Internet Service Provider, Cloudzy,
which accepts cryptocurrencies in exchange for anonymous use of its
Remote Desktop Protocol (RDP) Virtual Private Server (VPS) services.
While these C2P entities are ostensibly legitimate businesses who may or
may not know that their platforms are being abused for attack
campaigns, they nonetheless provide a key aspect of the larger attack
apparatus leveraged by some of the most advanced threat actors.
"This report is only a slice of a very large pie," said Jon Miller, CEO
& Co-founder, Halcyon. "It uncovers a pattern of what appears to be
consistent use or abuse of servers provided by internet service provider
Cloudzy by more than two dozen different threat actors. At
Halcyon, we are committed to defeating ransomware, which includes
identifying new threats and techniques used to facilitate ransomware
attacks and state-sponsored APT operations."
Key Findings:
-
Halcyon asserts that, based on this research, there is yet another key
player supporting the booming ransomware economy: Command-and-Control
Providers (C2P) who - knowingly or not - provide services to attackers
while assuming a legitimate business profile.
-
Threat actors that are assessed to be leveraging Cloudzy include APT
groups tied to the Chinese, Iranian, North Korean, Russian, Indian,
Pakistani, and Vietnamese governments; a sanctioned Israeli spyware
vendor whose tools are known to target civilians; several criminal
syndicates and ransomware affiliates whose campaigns have spurred
international headlines.
-
Halcyon uses an unlikely pivot point - namely RDP hostnames within the
metadata of an affiliate's attack infrastructure - that can enable
security teams to detect imminent ransomware attacks before they are
launched as the attack infrastructure is being stood up.
-
Halcyon identifies that Cloudzy - which accepts cryptocurrencies in
exchange for anonymous use of its Remote Desktop Protocol (RDP) Virtual
Private Server (VPS) services - appears to be the common service
provider supporting ransomware attacks and other cybercriminal
endeavors.
-
Halcyon also identifies a long list of government-sponsored APT-related
attacks spanning several years that appear to be using Cloudzy services,
where it is assessed that potentially 40% - 60% of activity leveraging
Cloudzy services is assessed to be malicious in nature.
-
Halcyon presents evidence that, although Cloudzy is incorporated in the
United States, it almost certainly operates out of Tehran, Iran - in
possible violation of U.S. sanctions - under the direction of someone
going by the name Hassan Nozari.
-
Halcyon identified two previously unknown ransomware affiliates dubbed
Ghost Clown and Space Kook currently deploying BlackBasta and Royal
ransomware strains, respectively.
The full report can be downloaded here: Cloudzy with a Chance of Ransomware: Unmasking Command-and-Control Providers (C2Ps).