This sketchy hosting company may facilitate a lot of state-sponsored ransomware attacks

IT managers should add hosting provider Cloudzy to the ever-growing list of threats they monitor, anti-ransomware firm Halcyon said in an Aug. 1 blog post.

Command-and-control providers (C2Ps) like Cloudzy are identified in a new report as the infrastructure allegedly facilitating a number of state-sponsored ransomware attacks, but have long flown under the radar because they have the appearance of legitimate businesses, according to the report.

However, according to Halcyon’s research, C2P companies can claim they don’t know what their clients are up to because of the anonymity that the firms enable through cryptocurrency payments and other features.

Although Cloudzy has an American business registration in the state of Wyoming, according to Reuters, the company “almost certainly operates out of Tehran, Iran” and can be tied to “more than two dozen different threat actors” linked to the governments of China, Iran, North Korea, Russian, India, Pakistan, and Vietnam, Halcyon’s report claimed.

Cloudzy CEO Hannan Nozari, who said he does not reside in Iran, has denied Halcyon’s assertions, telling Reuters that only 2% of his clients are “malicious,” adding, “If you are a knife factory, are you responsible if someone misuses the knife? Trust me, I hate those criminals and we do everything we can to get rid of them.”

Halcyon’s report, however, maintains that companies like Cloudzy “enjoy liability loopholes via their TOS and privacy policies that [do] not require them to ensure that the infrastructure they provide is not being used for illegal operations.”

The security platform said it arrived at the conclusions by researching remote desktop protocol hostnames to track C2P activities that could help identify ransomware attacks before they happen. Using the method, Halcyon said it tied Cloudzy to the malicious groups Ghost Clown and Space Kook, which allegedly deploy well-known ransomware strains BlackBasta and Royal respectively.

According to Cloudzy’s website, the company started out as RouterHosting in 2008, with the goal of making “VPS hosting and Remote Desktop connections easy and affordable for everyone.” It later rebranded to Cloudzy in 2021 and launched a cloud server product last year alongside its virtual private server offerings.

Reuters reported that Nozari runs related web hosting company abrNOC—which Halcyon alleged is based in Tehran. According to Halcyon’s research, “Cloudzy is almost certainly a cutout for the actual hosting company, abrNOC.”

More than one-half of Cloudzy’s servers could be tied to illicit activities, Halcyon estimated.

Bob Carver, a cyber threat intelligence specialist who has worked with large financial and telecom companies, said the Cloudzy report highlights a common underground business model that most cloud and internet providers are susceptible to. Once the shady customers are outed, it’s easy for them to move on to other providers, he said.

“This sort of thing is going on everywhere,” Carver told IT Brew. “They bounce around and make it hard to track.”

The takeaway? IT managers should be on the lookout for any signals that their organization could be the next target of a Cloudzy customer. Halcyon listed a number of IP addresses, RDP hostnames, netblocks, and other “indicators of compromise” associated with Cloudzy that professionals should be wary of if they pop up in their networks.

“We recommend that defenders look out for these hostnames both retroactively, to identify possible attacks already in progress, but also proactively, to prevent any malicious activity to begin with,” Halcyon advised in its blog post.