An apparently innocuous cloud hosting provider may be fronting for an Iran-based company that provides command-and-control services to ransomware attackers, according to a report published this week by security consultant and anti-ransomware vendor Halcyon.
Cloudzy, the report said, is primarily a virtual private server provider, which accepts cryptocurrency as payment for its services. Halcyon said that it has identified a host of threat actors that have used the company’s services in the past, including APT groups with links to the Chinese, Iranian, North Korean and Russian governments, among others. Cloudzy has also provided services for a known spyware vendor and more than one criminal syndicate, Halcyion said.
Cloudzy did not respond to requests for comment.
According to Halcyon, Cloudzy does not require any real identity verification from its customers, merely a working email address. The company allegedly enforced prohibitions on using its services for any illegal activity, but only when that activity related to IPv4 addresses registered by Cloudzy itself, not when it took place on infrastructure leased from other providers.
Halcyon’s investigation, which linked illegal activity to Cloudzy via those netblocks (blocks of IP addresses) also investigated the company’s personnel. Its report said that Cloudzy’s US presence is at least partially fictional, existing mostly on paper. In actuality, the report said, Cloudzy is largely staffed by employees of a different company, called abrNOC, which is based in Tehran.
A new model for ransomware attackers
Halcyon’s report said that “between 40% – 60%” of all servers hosted by the company appeared to be supporting possible malicious activity. Cloudzy, according to Halcyon, is part of a new model of ransomware attack, providing the command and control or C2P apparatus for malicious activity via an apparently legitimate source. It’s a different approach to the problem, according to Halcyon chief marketing officer Ryan Golden.
