Cloud Providers Becoming Key Players in Ransomware, Halcyon Warns – Source: securityboulevard.com

There are a number of components that make up a ransomware campaign, from the initial access brokers (IABs) to ransomware-as-a-service (RaaS) affiliates to organizations that launder cryptocurrency from the ransom payments.

A report this week from cybersecurity startup Halcyon details another element of the RaaS ecosystem: Cloud services providers using their cloak of legitimacy to lease server space to threat groups. These threat groups use the cloud services providers as a base from which to run their attacks, including acting as the command-and-control structure.

The anti-ransomware company highlighted one relatively unknown company called Cloudzy, which is incorporated in the United States but which Halcyon says “almost certainly operates out of Tehran, Iran–in possible violation of U.S. sanctions.”

“While these C2P [command-and-control provider] entities are ostensibly legitimate businesses that may or may not know that their platforms are being abused for attack campaigns, they nonetheless provide a key pillar of the larger attack apparatus leveraged by some of the most advanced threat actors,” Halcyon’s research and engineering team wrote in the 15-page report.

In addition, the researchers also identified two previously undetected ransomware affiliates–dubbed Ghost Clown and Space Kook–that are deploying the BlackBasta and Royal ransomware strains in their attacks.

The Rise of C2Ps

The report puts into focus what Halcyon said is an increasingly important part of the expanding RaaS model that also includes malware developers and criminal affiliates.

“Few realize that [ransomware syndicates] also rely on a global system of legitimate service providers, like Cloudzy, who appear to act as command-and-control providers,” they wrote.

In Cloudzy’s case, Halcyon found that at least 17 state-sponsored advanced persistent threat (APT) groups tied to a who’s who of governments known for supporting or running cyberattacks and espionage, including Iran (with groups like Elfin), China (APT10 and Circuit Panda), Russia (Nobelium) and North Korea (BlueNoroff), have used the service provider’s infrastructure over the past several years. Also on the list are Pakistan (Transparent Tribe), India (Sidewinder) and Vietnam (OceanLotus).

Ransomware affiliates deploying high-profile ransomware like TrickBot, Ryuk and Blackcat also have relied on Cloudzy’s servers, as has Candiru, an Israeli company sanctioned by governments for its spyware technology.

In all, Halcyon estimates that 40% to 60% of Cloudzy’s cloud-hosted systems support malicious activities. Cloudzy CEO Hannan Nozari disputed that, telling Reuters that about 2% of the company’s clients were malicious and that Cloudzy shouldn’t be held responsible for their activities.

Ian Todd, detection engineer at cybersecurity vendor Critical Start, said the C2P concept is the latest step in reducing friction for bad actors, eliminating the need for self-hosted operations for their campaigns.

“The revelation that threat actors of all sizes, capabilities, and origins can and do use shared infrastructure from C2P providers could make attack attribution more difficult,” Todd said. “On the other hand, when a service provider like Cloudzy is identified, it can serve as a point of focus for defenders.”

RaaS has become the dominant structure, with most ransomware strains functioning as a service, according to blockchain analysis firm Chainalysis. A developer will create ransomware and allow affiliates to use it on a subscription or licensing basis. C2Ps like Cloudzy offer the virtual infrastructure for RaaS operators and affiliates and the platform for deploying the payload and exfiltrating data.

Halcyon was founded in 2021 by Jon Miller and Ryan Smith, who came with experience with such companies as Cylance (which BlackBerry bought in 2019), Accuvant (acquired by Optiv in 2014), and IBM X-Force (after Big Blue bought ISS in 2006). The company in April raised $50 million in series A funding and has since announced partnerships with CISO Global and Revelstoke Security to create integrated offerings designed to help enterprises fight against ransomware and other threats.

Putting the Focus on Cloudzy

Halcyon researchers were able to rent remote desktop protocol (RDP) virtual private servers (VPS) from Cloudzy, which they wrote appears to “market itself in a manner that directly appeals not just to privacy enthusiasts, but also to threat actors.”

Buying the services was inexpensive, easy and anonymous, with Cloudzy only requiring a working email address and payment in cryptocurrency, including Monero, which is more difficult for law enforcement agencies to track than Bitcoin or Ethereum.

Cloudzy’s terms of service around the use of its infrastructure for nefarious purposes at first glance seem strong–immediate termination, reporting to law enforcement–but in other areas of its site, it talked about abusers paying a nominal fee and fines of $250 to $1,000 and the possibility of continuing their service.

Halcyon researchers took a deep dive into Cloudzy to get a better picture of the company and claimed that it “almost certainly” is linked to another hosting company, abrNOC, which operates in Iran and is run by Nozari. Cloudzy is registered in Wyoming and Cyprus under the name RouterHosting and is represented by the CloudPeak Law firm, also in Wyoming.

They also questioned whether some of the people profiled on Cloudzy’s website as employees are fictitious, noting that the headshots of some appear to belong to other people.

Cloudzy is part of what Halcyon researchers say is an expanding environment of cloud services providers that understand the softness and weaknesses within regulations that allow them to give ransomware groups and other cybercriminals a relatively safe haven from which to run their malicious operations.

“C2Ps end up granting ransomware groups anonymous use of their infrastructure to launch attacks because, in the interest of privacy, it appears they never bother to ask who their customers are,” they wrote. “They are not required to. In this way, ransomware activity lines two sets of pockets–the criminals who deploy it and the service providers who may be turning a blind eye to them.”

Identifying Cloudzy and Similar Entities

Halcyon researchers said they used a novel technique to identify Cloudzy and that the same method can be used to find other C2Ps and detect imminent ransomware attacks. They used RDP hostnames housed in the metadata of the attack infrastructure of ransomware affiliates’ infrastructure.

They recommended enterprises use the indicators of compromise in the report to “search their networks for any of the malicious activity we tied to C2P Cloudzy, and that they immediately take note when any of the 11 RDP hostnames we identified surface in their environments.”

Security teams should look for the hostnames now to identify possible attacks already in progress and keep an eye out to prevent future malicious activity.