www.halcyon.ai
Open in
urlscan Pro
63.35.51.142
Public Scan
URL:
https://www.halcyon.ai/blog/report-ransomware-command-and-control-providers-unmasked-by-halcyon-researchers
Submission: On August 02 via api from TR — Scanned from DE
Submission: On August 02 via api from TR — Scanned from DE
Form analysis 3 forms found in the DOM
Name: email-form — GET
<form id="email-form" name="email-form" data-name="Email Form" method="get" data-wf-page-id="62e94b4e712c08b1b7b98e7d" data-wf-element-id="eb6dd3d3-a514-bcc6-4f69-05aefe1296da" aria-label="Email Form" data-hs-cf-bound="true">
<div><label for="email-2" class="hide">Email Address</label><input type="email" class="form-input is-footer-input margin-bottom _1rem w-input" maxlength="256" name="email-2" data-name="Email 2" placeholder="What's your email?" id="email-2"
required=""><input type="submit" value="Sign me up" data-wait="Please wait..." class="button-normal button-orange-gradient max-width-large w-button"></div>
</form>Name: email-form — GET
<form id="email-form" name="email-form" data-name="Email Form" method="get" data-wf-page-id="62e94b4e712c08b1b7b98e7d" data-wf-element-id="337138f8-1ae5-6789-1cb3-748dd792eb23" aria-label="Email Form" data-hs-cf-bound="true">
<div class="footer_input-wrapper"><label for="email-2" class="hide">Email Address</label><input type="email" class="form-input is-footer-input w-input" maxlength="256" name="email-2" data-name="Email 2" placeholder="What's your email?" id="email-2"
required=""><input type="submit" value="Sign me up" data-wait="Please wait..." class="button-normal button-orange-gradient max-width-large w-button"></div>
</form>Name: wf-form-Cookie-Preferences — GET
<form id="cookie-preferences" name="wf-form-Cookie-Preferences" data-name="Cookie Preferences" method="get" class="fs-cc-prefs3_form" data-wf-page-id="62e94b4e712c08b1b7b98e7d" data-wf-element-id="1fe82a4d-1574-528b-ea69-3e4c144d183e"
aria-label="Cookie Preferences" data-hs-cf-bound="true">
<div class="fs-cc-prefs3_header">
<div class="fs-cc-prefs3_title">Privacy Preferences</div>
</div>
<div class="fs-cc-prefs3_content">
<div class="fs-cc-prefs3_option">
<div class="fs-cc-prefs3_toggle-wrapper">
<div class="fs-cc-prefs3_label">Essential cookies</div>
<div class="fs-cc-prefs3_line"></div>
<div>Required</div>
</div>
</div>
<div class="fs-cc-prefs3_option">
<div class="fs-cc-prefs3_toggle-wrapper">
<div class="fs-cc-prefs3_label">Marketing cookies</div>
<div class="fs-cc-prefs3_line"></div><label class="w-checkbox fs-cc-prefs3_checkbox-field">
<div class="w-checkbox-input w-checkbox-input--inputType-custom fs-cc-prefs3_checkbox"></div><input type="checkbox" id="marketing-2" name="marketing-2" data-name="Marketing 2" fs-cc-checkbox="marketing"
style="opacity:0;position:absolute;z-index:-1"><span for="marketing-2" class="fs-cc-prefs3_checkbox-label w-form-label">Essential</span>
</label>
</div>
</div>
<div class="fs-cc-prefs3_option">
<div class="fs-cc-prefs3_toggle-wrapper">
<div class="fs-cc-prefs3_label">Personalization cookies</div>
<div class="fs-cc-prefs3_line"></div><label class="w-checkbox fs-cc-prefs3_checkbox-field">
<div class="w-checkbox-input w-checkbox-input--inputType-custom fs-cc-prefs3_checkbox"></div><input type="checkbox" id="personalization-2" name="personalization-2" data-name="Personalization 2" fs-cc-checkbox="personalization"
style="opacity:0;position:absolute;z-index:-1"><span for="personalization-2" class="fs-cc-prefs3_checkbox-label w-form-label">Essential</span>
</label>
</div>
</div>
<div class="fs-cc-prefs3_option">
<div class="fs-cc-prefs3_toggle-wrapper">
<div class="fs-cc-prefs3_label">Analytics cookies</div>
<div class="fs-cc-prefs3_line"></div><label class="w-checkbox fs-cc-prefs3_checkbox-field">
<div class="w-checkbox-input w-checkbox-input--inputType-custom fs-cc-prefs3_checkbox"></div><input type="checkbox" id="analytics-2" name="analytics-2" data-name="Analytics 2" fs-cc-checkbox="analytics"
style="opacity:0;position:absolute;z-index:-1"><span for="analytics-2" class="fs-cc-prefs3_checkbox-label w-form-label">Essential</span>
</label>
</div>
</div>
</div>
<div class="fs-cc-prefs3_buttons-wrapper">
<div class="fs-cc-prefs3_buttons-block">
<a fs-cc="deny" href="#" class="button-normal w-button" role="button" tabindex="0">Reject all cookies</a><a fs-cc="allow" href="#" class="button-normal blue w-button" role="button" tabindex="0">Allow all cookies</a><input type="submit"
value="Save preferences" data-wait="Please wait..." class="button-normal blue-outline w-button"></div>
</div>
</form>Text Content
Why Halcyon? Platform Company About Get to know our company, story, and its mission. Partners Learn about our technology alliances, integrations, and channel partners. Careers We're hiring for a variety of fully remote roles. Press See media coverage, get a brand press kit, or inquire. Events Find us at an event near you, and come say hey. Contact Get in touch with us, ask questions, or give feedback. Resources Learn Recent Ransomware Attacks Stay up to date with our watchtower. We provide near real-time ransomware tracking of attacks, groups, and their victims. Resource Center Learn how the world's important companies are fighting ransomware. Halcyon Blog Read the latest in cybersecurity threats, ransomware, news, & more. Risk Calculator See how much you'll save when you use Halcyon for your organization. RaaS vs SaaS Understanding the ransomware menace and fortifying your defense. Cybersecurity Glossary Cybersecurity terminology decoded in a comprehensive guide. Cyber Resilience FAQ Explore answers and insights into cybersecurity and ransomware. Get Started Why Halcyon? Platform Company About Get to know our company and its mission. Careers We're hiring fully remote for a variety of roles. Events Find us at an event near you, and come say hey. Partners Learn about our technology alliances, integrations, and channel partners. Contact Get in touch with us to learn more, or inquire Learn Recent Ransomware Attacks Stay up to date with our watchtower. We provide near real-time ransomware tracking of attacks, groups, and their victims. Resource Center Learn how the world's important companies are fighting ransomware. Halcyon Blog Read the latest in cybersecurity threats, ransomware, news, & more. ROI Calculator See how much you'll save when you use Halcyon for your organization. RaaS vs SaaS Understanding the ransomware menace and fortifying your defense. Cybersecurity Glossary Cybersecurity terminology decoded in a comprehensive guide. Cyber Resilience FAQ Explore answers and invaluable insights into cybersecurity and ransomware. Get a Demo All Posts Research REPORT: RANSOMWARE COMMAND-AND-CONTROL PROVIDERS UNMASKED BY HALCYON RESEARCHERS Written by Halcyon Team Published on August 1, 2023 The Halcyon Research and Engineering Team has published new research that details novel techniques used to unmask yet another Ransomware Economy player that is facilitating ransomware attacks and state-sponsored APT operations: Command-and-Control Providers (C2P) who sell services to threat actors while assuming a legal business profile. While these C2P entities are ostensibly legitimate businesses that may or may not know that their platforms are being abused for attack campaigns, they nonetheless provide a key pillar of the larger attack apparatus leveraged by some of the most advanced threat actors. In this report, titled Cloudzy with a Chance of Ransomware: Unmasking Command-and-Control Providers (C2Ps), Halcyon demonstrates a unique method for identifying C2P entities that can be used to forecast the precursors to major ransomware campaigns and other advanced attacks significantly “left of boom.” Halcyon also identifies two new, previously undisclosed ransomware affiliates Halcyon tracks as Ghost Clown and Space Kook that currently deploy BlackBasta and Royal, respectively. The report also describes how we used the same method to link the two ransomware affiliates to the same Internet Service Provider, Cloudzy, which accepts cryptocurrencies in exchange for anonymous use of its Remote Desktop Protocol (RDP) Virtual Private Server (VPS) services. DOWNLOAD THE FULL REPORT HERE (PDF) KEY FINDINGS: * Halcyon asserts that, based on this research, there is yet another key player supporting the burgeoning ransomware economy: Command-and-Control Providers(C2P) who – knowingly or not - provide services to attackers while assuming a legitimate business profile. * Threat actors that are assessed to be leveraging Cloudzy include APT groups tied to the Chinese, Iranian, North Korean, Russian, Indian, Pakistani, and Vietnamese governments; a sanctioned Israeli spyware vendor whose tools are known to target civilians; several criminal syndicates and ransomware affiliates whose campaigns have spurred international headlines. * Halcyon uses an unlikely pivot point - namely RDP hostnames within the metadata of an affiliate’s attack infrastructure – that can enable security teams to detect imminent ransomware attacks before they are launched as the attack infrastructure is being stood up. * Halcyon identifies that Cloudzy - which accepts cryptocurrencies in exchange for anonymous use of its Remote Desktop Protocol (RDP) Virtual Private Server (VPS)services – appears to be the common service provider supporting ransomware attacks and other cybercriminal endeavors. * Halcyon also identifies a long list of government-sponsored APT-related attacks spanning several years that appear to be using Cloudzy services, where it is assessed that (potentially) between 40% - 60% of of the overall activity could be considered malicious in nature. * Halcyon presents evidence that, although Cloudzy is incorporated in the United States, it almost certainly operates out of Tehran, Iran – in possible violation of U.S. sanctions – under the direction of someone going by the name Hassan Nozari. * Halcyon identified two previously unknown ransomware affiliates dubbed Ghost Clown and Space Kook currently deploying BlackBasta and Royal ransomware strains, respectively. This report documents what is assessed to be a pattern of consistent use or abuse of servers provided by Internet Service Provider Cloudzy by more than two dozen different threat actors, including: * Groups tied to the Chinese, Iranian, North Korean, Russian, Indian, Pakistani, and Vietnamese governments * A sanctioned Israeli spyware vendor whose tools are known to target civil society * Several additional criminal syndicates and ransomware affiliates whose campaigns previously made international headlines. Halcyon concludes this report by taking a closer look at ISP Cloudzy, and presents evidence that even though Cloudzy purports to be an American-based company, it is assessed to actually be operating out of Tehran, Iran, possibly in violation of U.S. sanctions. Halcyon recommends that the technical readers of this report use the indicators of compromise appended below to search their networks for any of the malicious activity we tied to C2P Cloudzy, and that they immediately take note when any of the 11 RDP hostnames we identified surface in their environments. We recommend that defenders look out for these hostnames both retroactively, to identify possible attacks already in progress, but also proactively, to prevent any malicious activity to begin with. Indicators of Compromise: SHA256 4d56e0a878b8a0f04462e7aa2a47d69a6f3a31703563025fb40fb82bab2a2f05 SHA256 b27ca5155e42e372d37cf2bcbb1f159627881ecbae2e51d41f414429599d37a7 IP Addresses 23.19.58[.]181 139.177.146[.]152 172.93.201[.]120 Domain mojimetigi[.]biz Netblocks 104.237.193.40/29 104.237.193.56/29 104.237.194.152/29 104.237.219.32/29 104.237.219.40/29 167.88.4.0/29 167.88.4.112/29 167.88.4.16/29 167.88.4.24/29 167.88.4.8/29 172.86.120.0/22 172.93.179.8/29 172.93.179.24/29 172.93.179.32/29 172.93.179.40/29 172.93.179.72/29 172.93.179.96/29 172.93.179.104/29 172.93.179.112/29 172.93.179.120/29 172.93.179.128/29 172.93.179.144/29 172.93.179.152/29 172.93.179.160/29 172.93.179.176/29 172.93.179.184/29 172.93.179.192/29 172.93.179.200/29 172.93.179.208/29 172.93.179.224/29 172.93.179.232/29 172.93.179.240/29 172.93.179.248/29 172.93.181.0/24 172.93.193.0/24 172.93.201.0/24 172.93.204.120/29 172.93.205.128/29 172.93.205.136/29 172.93.205.144/29 64.44.101.0/24 64.44.102.0/24 64.44.134.0/29 64.44.134.16/29 64.44.134.24/29 64.44.134.32/29 64.44.134.40/29 64.44.134.48/29 64.44.134.56/29 64.44.135.0/24 64.44.140.232/29 64.44.141.0/24 64.44.51.168/29 64.44.97.0/24 64.44.98.0/24 Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. And check out the Recent Ransomware Attacks resource site to get near real-time tracking of ransomware attacks, threat actor groups and their victims. Subscribe to receive the latest blog posts to your inbox every week. Email Address Thank you! Your submission has been received! Oops! Something went wrong while submitting the form. RELATED POSTS See All Blog Posts POWER RANKINGS: 2022 RANSOMWARE MALICIOUS QUARTILE The Halcyon team of ransomware experts has put together this RaaS power rankings guide for the ransomware threat landscape based on data from throughout 2022... Read the Blog THE HALCYON PLATFORM Halcyon is the industry’s first dedicated, adaptive security platform focused specifically on stopping ransomware attacks. Halcyon is built by offensive security experts to stop attackers. Our platform is a lightweight agent that combines multiple proprietary advanced prevention engines along with AI models trained solely on ransomware. Ready to get a demo? Fill out the form and let’s talk! GET A DEMO MEET WITH A HALCYON ANTI-RANSOMWARE EXPERT Still looking around and wanna stay in the know? Give us your email, get our newsletter. We'll never spam you. Serious. Email Address Thank you! Your submission has been received! Oops! Something went wrong while submitting the form. Product Why Halcyon Platform Overview Resources Resource Center Risk Calculator Ransomware Attacks Company Careers Partners Events Get In Touch Get a Demo Contact Us © 2023 Halcyon Tech, All Rights Reserved. | Privacy Policy | Terms of Service Cookie Consent By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information. Accept Deny Privacy Preferences Essential cookies Required Marketing cookies Essential Personalization cookies Essential Analytics cookies Essential Reject all cookiesAllow all cookies