In new ransomware model, cloud provider acts as front for bad actors: report

An apparently innocuous cloud hosting provider may be fronting for an Iran-based company that provides command-and-control services to ransomware attackers, according to a report published this week by security consultant and anti-ransomware vendor Halcyon.

Cloudzy, the report said, is primarily a virtual private server provider, which accepts cryptocurrency as payment for its services. Halcyon said that it has identified a host of threat actors that have used the company’s services in the past, including APT groups with links to the Chinese, Iranian, North Korean and Russian governments, among others. Cloudzy has also provided services for a known spyware vendor and more than one criminal syndicate, Halcyion said.

According to Halcyon, Cloudzy does not require any real identity verification from its customers, merely a working email address. The company allegedly enforced prohibitions on using its services for any illegal activity, but only when that activity related to IPv4 addresses registered by Cloudzy itself, not when it took place on infrastructure leased from other providers.

Halcyon’s investigation, which linked illegal activity to Cloudzy via those netblocks (blocks of IP addresses) also investigated the company’s personnel. Its report said that Cloudzy’s US presence is at least partially fictional, existing mostly on paper. In actuality, the report said, Cloudzy is largely staffed by employees of a different company, called abrNOC, which is based in Tehran.

“At this moment, our team is actively investigating the claims made in the reports through proper legal channels,” according to a statement from Cloudzy, sent via email. “We believe it is essential to thoroughly review the allegations to ensure a fair and accurate understanding of the situation. Once the investigation is complete, we will be more than willing to provide a comprehensive statement and engage in an open dialogue about the findings.”

A new model for ransomware attackers

Halcyon’s report said that “between 40% – 60%” of all servers hosted by the company appeared to be supporting possible malicious activity. Cloudzy, according to Halcyon, is part of a new model of ransomware attack, providing the command and control or C2P apparatus for malicious activity via an apparently legitimate source. It’s a different approach to the problem, according to Halcyon chief marketing officer Ryan Golden.

“Most operators won’t take the time to set up their operations to appear as legitimate companies because they’re more niche and want to move quicker to market,” he said. “We use this difference to draw a distinction between this second type of provider (usually known as Bulletproof Hosting) who tend to hide behind the guise of ‘free speech absolutists’ and what we call C2Ps.”

The idea of a C2P masquerading as a legitimate company has several advantages for bad actors, according to Golden. For one thing, simply appearing to be a US-based entity provides a layer of apparent trustworthiness and provides legitimate users to help cover malicious activity.

“Since the traffic associated with their netblocks is mixed with potentially legitimate uses, it’s easier for the malicious actors to hide in the open,” Golden said.

Halcyon recommends that users check their systems for connections to remote desktop servers linked to Cloudzy, which are detailed in the report.

(This story has been updated with a comment from Cloudzy.)