A new report from anti-ransomware vendor Halcyon said that virtual private server provider Cloudzy is being used to host malicious activity from numerous sources. Credit: Cisco An apparently innocuous cloud hosting provider may be fronting for an Iran-based company that provides command-and-control services to ransomware attackers, according to a report published this week by security consultant and anti-ransomware vendor Halcyon. Cloudzy, the report said, is primarily a virtual private server provider, which accepts cryptocurrency as payment for its services. Halcyon said that it has identified a host of threat actors that have used the company’s services in the past, including APT groups with links to the Chinese, Iranian, North Korean and Russian governments, among others. Cloudzy has also provided services for a known spyware vendor and more than one criminal syndicate, Halcyion said. According to Halcyon, Cloudzy does not require any real identity verification from its customers, merely a working email address. The company allegedly enforced prohibitions on using its services for any illegal activity, but only when that activity related to IPv4 addresses registered by Cloudzy itself, not when it took place on infrastructure leased from other providers. Halcyon’s investigation, which linked illegal activity to Cloudzy via those netblocks (blocks of IP addresses) also investigated the company’s personnel. Its report said that Cloudzy’s US presence is at least partially fictional, existing mostly on paper. In actuality, the report said, Cloudzy is largely staffed by employees of a different company, called abrNOC, which is based in Tehran. “At this moment, our team is actively investigating the claims made in the reports through proper legal channels,” according to a statement from Cloudzy, sent via email. “We believe it is essential to thoroughly review the allegations to ensure a fair and accurate understanding of the situation. Once the investigation is complete, we will be more than willing to provide a comprehensive statement and engage in an open dialogue about the findings.” A new model for ransomware attackers Halcyon’s report said that “between 40% – 60%” of all servers hosted by the company appeared to be supporting possible malicious activity. Cloudzy, according to Halcyon, is part of a new model of ransomware attack, providing the command and control or C2P apparatus for malicious activity via an apparently legitimate source. It’s a different approach to the problem, according to Halcyon chief marketing officer Ryan Golden. “Most operators won’t take the time to set up their operations to appear as legitimate companies because they’re more niche and want to move quicker to market,” he said. “We use this difference to draw a distinction between this second type of provider (usually known as Bulletproof Hosting) who tend to hide behind the guise of ‘free speech absolutists’ and what we call C2Ps.” The idea of a C2P masquerading as a legitimate company has several advantages for bad actors, according to Golden. For one thing, simply appearing to be a US-based entity provides a layer of apparent trustworthiness and provides legitimate users to help cover malicious activity. “Since the traffic associated with their netblocks is mixed with potentially legitimate uses, it’s easier for the malicious actors to hide in the open,” Golden said. Halcyon recommends that users check their systems for connections to remote desktop servers linked to Cloudzy, which are detailed in the report. (This story has been updated with a comment from Cloudzy.) Related content news FBI warns Black Basta ransomware impacted over 500 organizations worldwide CISA advisory includes indicators of compromise and TTPs that can be used for threat hunting. By Lucian Constantin May 14, 2024 6 mins Ransomware Phishing Healthcare Industry news Australian federal budget outlines investment in cybersecurity The Australian government announced its 2024-25 federal budget and CSO has selected highlights that indicate how much will go towards cybersecurity and in what areas. By Samira Sarraf May 14, 2024 5 mins Fraud Protection and Detection Software Data and Information Security brandpost Sponsored by Microsoft Security New threat trends emerge out of East Asia With total vigilance concerning the latest East Asian developments in the threat landscape, security leaders can enhance their readiness to safeguard against the most imminent dangers. By Microsoft Security May 14, 2024 5 mins Security news Equipped with AI tools, hackers make apps riskier than ever The odds of attacks are growing as attackers can now easily access code modification and reverse engineering tools. By Shweta Sharma May 14, 2024 4 mins Application Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe