Halcyon Cloudzy Report

The ransomware economy is supported by a number of illicit groups that each provide one small piece of the puzzle that is cybercrime. From initial access brokers (IABs) to crypto money launderers, the criminal ecosystem that has sprung up around ransomware is vast. Halcyon researchers suggest there is yet another player that is, perhaps unwittingly, supporting the booming ransomware economy and other attack operations: the Command-and-Control Providers (C2P) who sell services to threat actors while assuming a legal business profile. Bulletproof Hosting (BPH) providers usually operate in jurisdictions which have lenient laws against illicit conduct, as such they openly serve criminal operations unapologetically; C2Ps however attempt to blend in as legitimate business, even going so far as to operate in jurisdictions where they are subject to legal standards of conduct (like Cloudzy in the US) but leverage the anonymity of their clients to serve criminal operations with plausible deniability. While these C2P entities are ostensibly legitimate businesses that may or may not know that their platforms are being abused for attack campaigns, they nonetheless provide a key pillar of the larger attack apparatus leveraged by some of the most advanced threat actors.

In this report, Halcyon demonstrates a unique method for identifying C2P entities that can potentially be used to forecast the precursors of ransomware campaigns and other attacks significantly “left of boom.” Halcyon also identifies two new, previously undisclosed ransomware affiliates we track as Ghost Clown and Space Kook that currently deploy BlackBasta and Royal, respectively. We also describe how we used the same method to link the two ransomware affiliates to the same Internet Service Provider, Cloudzy, which accepts cryptocurrencies in exchange for anonymous use of its Remote Desktop Protocol (RDP) Virtual Private Server (VPS) services.

It is well known that ransomware syndicates rely on a broad ecosystem of initial access brokers, malware and exploit developers, and criminal affiliates to run their illicit enterprises. But few realize that they also rely on a global system of legitimate service providers, like Cloudzy, who appear to act as Command-and-Control Providers (C2P). C2Ps end up granting ransomware groups anonymous use of their infrastructure to launch attacks because, in the interest of privacy, it appears they never bother to ask who their customers are. They are not required to. In this way, ransomware activity lines two sets of pockets – the criminals who deploy it and the service providers who may be turning a blind eye to them.

In the case of Cloudzy, that blind eye may have missed a lot. This report documents what is assessed to be a pattern of consistent use or abuse of Cloudzy servers by more than two dozen different threat actors over several years. Included are groups tied to the Chinese, Iranian, North Korean, Russian, Indian, Pakistani, and Vietnamese governments; a sanctioned Israeli spyware vendor whose tools are known to target civil society; and several additional criminal syndicates and ransomware affiliates whose campaigns previously made international headlines. Halcyon concludes this report by taking a closer look at Cloudzy. We present evidence that even though Cloudzy purports to be a legitimate American company, it appears to operate out of Tehran, Iran in possible violation of U.S. sanctions under the direction of an entrepreneur named Hassan Nozari.