Halcyon published a bombshell report his week—an exposé of the ransomware landscape. The ground-breaking report, “Cloudzy with a Chance of Ransomware: Unmasking Command-and-Control Providers (C2Ps),” sheds light on a crucial and often overlooked aspect of the ransomware chain: the hosting providers that support and enable these illicit operations.
According to the report, certain hosting providers serve as nerve centers for orchestrating ransomware attacks, a critical aspect that frequently goes unnoticed amidst the broader focus on threat actors and their end targets. Halcyon’s in-depth research unveils the intricate and sophisticated systems leveraged by threat actors and the complicit, or sometimes unknowing, entities that empower them.
Cloudzy Hosting: A Major Player in State-Sponsored Cyberattacks
There is a lot of valuable research and insight in the report, bit the most notable revelation is the identification of Cloudzy, a hosting provider, as a key facilitator of state-sponsored cyberattacks. Cloudzy is alleged to have been involved in hosting the command-and-control (C2) servers used in multiple instances of state-sponsored cyberattacks.
Halcyon notes that Cloudzy accepts cryptocurrencies in exchange for anonymous use of its RDP (Remote Desktop Protocol) and VPN (Virtual Private Network Server) services. That does not necessarily mean that Cloudzy is an active participant, but it sets up the conditions for at least tacit complicity.
A blog post from Halcyon explains, “While these C2P entities are ostensibly legitimate businesses that may or may not know that their platforms are being abused for attack campaigns, they nonetheless provide a key pillar of the larger attack apparatus leveraged by some of the most advanced threat actors.”
Motive, Means, and Opportunity
I wrote recently about how crime can be distilled down to three essential components—motive, means, and opportunity—and that there is little we can do about motive or means, but minimizing opportunity is the crux of effective cybersecurity.
This report from Halcyon highlights the fact that it is also possible to disrupt the means for crime. Cybercrime is comprised of an entire ecosystem of supporting businesses and infrastructure. By shutting down the flow of money, or preventing cybercriminals from accessing the infrastructure necessary for command-and-control operations, ransomware and other cybercrimes can be deterred.
“This is another example of the well-developed hacking-as-a-service industry, and the limitations of blocking traffic based on location,” declared Willy Leichter, VP at Cyware. “While this is thinly veiled, there is certainly a lot of infrastructure in the US and other countries being controlled by illegal hacking groups. We need to always have a zero-trust mindset – don’t assume anything is safe because it’s from a reputable location.”
The Anatomy of Ransomware Operations
Ransomware attacks are typically executed through a command-and-control (C2) server, which sends commands to infected systems and receives information back from them. Halcyon’s report unveils that hosting providers like Cloudzy have been hosting such servers, essentially becoming a critical link in the chain of ransomware attacks.
The significance of these findings cannot be overstated. As indicated by InfoRiskToday, a hosting provider accused of such actions illuminates the magnitude of the problem. “Hosting Provider Accused of Facilitating Nation-State Hacks” serves as an alarming headline in the face of rising global cybersecurity threats. In these circumstances, identifying and neutralizing facilitators becomes as important as tracking down the actual threat actors.
The Implications and Way Forward
Halcyon’s research findings have significant implications for the cybersecurity landscape. It is a wake-up call for hosting providers to tighten their security and vetting measures. Furthermore, it underlines the need for stronger regulation and accountability mechanisms in the digital landscape to ensure that businesses do not become unwitting accomplices in cybercrime.
The revelations in the report may also necessitate a rethinking of cybersecurity strategies. The focus should not be confined to safeguarding against external threats but should also extend to scrutinizing third-party providers. This approach is consistent with the principle of ‘defense in depth,’ which advocates for multiple layers of security control within a system.
“Two things would go a long way to reduce this sort of abuse: First, service providers need to know their customers; it is certainly possible for the providers to understand who they are contracting with and for what purposes while still maintaining client privacy,” explained Ryan Smith, Co-founder and CTO of Halcyon. “Second, legitimate ISPs can also do some due diligence when asked to vouch for another provider or when they lease IP space to them – assuming they care about their infrastructure being used for nefarious purposes.”
Halcyon’s report marks a significant contribution to our understanding of ransomware operations. The unmasking of hosting providers like Cloudzy signifies an urgent need for internal cybersecurity reforms and robust due diligence in the digital business landscape. Only through a concerted effort that combines regulatory oversight, industry best practices, and advanced cybersecurity measures can we hope to counter the rising tide of ransomware threats.