The Halcyon Research and Engineering Team has exposed yet another major player in the Ransomware Economy that has been facilitating ransomware attacks as multiple state-sponsored APT operations.
Similar to Bulletproof Hosting companies who cater to attackers and criminals and allow malicious activity to thrive on their networks, there are also ostensibly legitimate ISPs who are acting as Command-and-Control Providers (C2P) and sell services to threat actors while assuming an otherwise legal business profile.
“What stood out most to us is the fact that we have ostensibly legitimate ISPs providing attack infrastructure to nation-state threat actors, ransomware operators, and other possibly sanctioned entities while under no obligation to take any action whatsoever to stem the illicit activity,” Ryan Smith, CTO and co-founder at Halcyon, told The Record.
“In fact, they are profiting from it… These Command-and-Control Providers — knowingly or unknowingly — are essentially another pillar in the global attack ecosystem, and a major player in the ransomware economy.”
C2Ps rely on legal loopholes in their Terms of Service and Privacy Policies that do not require them to vet their customers, enabling threat actors to abuse their platforms for malicious operations while enjoying plausible deniability.
In this report, titled Cloudzy with a Chance of Ransomware: Unmasking Command-and-Control Providers (C2Ps), Halcyon also demonstrates a unique method for identifying C2P entities and actually observe the precursors to major ransomware and espionage campaigns as the attack infrastructure is being set up.
Halcyon researchers used this method to identify two previously undisclosed ransomware affiliates tracked as Ghost Clown and Space Kook who were observed deploying BlackBasta and Royal payloads, respectively.
This methodology, detailed in the report, led the researchers to a particularly good example of how C2Ps operate and stay below the radar of security teams – an ISP called Cloudzy – which is registered in the U.S, but is most likely actually operating out of Iran.
“Initially, Halcyon suspected that the person or entity doing the leasing was a criminal infrastructure broker, a part of the underground ransomware ecosystem, akin to an initial access broker or malware developer,” the report states.
“To our surprise, Halcyon was able to successfully purchase servers with the identified RDP hostnames from one of the ISPs, and only one: the C2P Cloudzy. More precisely, these hostnames appeared on servers provisioned using their ‘RDP VPS’ service. We had our answer.”
Threat actors that are assessed to be leveraging Cloudzy include APT groups tied to the Chinese, Iranian, North Korean, Russian, Indian, Pakistani, and Vietnamese governments; a sanctioned Israeli spyware vendor whose tools are known to target civilians; several criminal syndicates and ransomware affiliates whose campaigns have spurred international headlines.
It is assessed that (potentially) between 40% - 60% of the overall activity could be considered malicious in nature. Halcyon recommends that the technical readers of the report use the Indicators of Compromise (IOCs) appended below to search their networks for any of the malicious activities we tied to C2P Cloudzy.
Halcyon further recommends that defenders look out for these hostnames both retroactively, to identify possible attacks already in progress, but also proactively, to prevent any malicious activity to begin with.
Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.