Halcyon researchers expose Command-and-Control Providers (C2Ps) as a key pillar of the ransomware economy, offering services to attackers while presenting themselves as legitimate businesses. The report links Cloudzy as a common service provider used by actors such as Ghost Clown and Space Kook, who deploy BlackBasta and Royal ransomware, respectively. #Cloudzy #GhostClown
Keypoints
- Halcyon identifies C2P entities that knowingly or unknowingly facilitate attacks while appearing legitimate.
- Cloudzy is identified as a shared service provider enabling ransomware campaigns and other cybercriminal activity.
- Ghost Clown and Space Kook affiliates are linked to deploying BlackBasta and Royal ransomware families.
- A pivot point using RDP hostnames in affiliate infrastructure can help security teams detect attacks early, before they launch.
- Cloudzy accepts cryptocurrency for anonymous RDP VPS services, illustrating how infrastructure is monetized.
- Cloudzy is assessed to operate from Tehran, Iran, potentially violating U.S. sanctions, with activity spanning multiple actors and governments.
MITRE Techniques
- [T1583] Acquire Infrastructure – “C2P entities … providing services to attackers while assuming a legitimate business profile.”
- [T1021.001] Remote Desktop Protocol – “Remote Desktop Protocol (RDP) Virtual Private Server (VPS) services” and “RDP hostnames within the metadata of an affiliate’s attack infrastructure”
Indicators of Compromise
- [SHA256] context – 4d56e0a878b8a0f04462e7aa2a47d69a6f3a31703563025fb40fb82bab2a2f05, and 2 more hashes
- [IP Addresses] context – 23.19.58.181, 139.177.146.152, and 1 more
- [Domain] context – mojimetigi.biz
- [Netblocks] context – 104.237.193.40/29, 104.237.193.56/29, and 26 more ranges