Beijing-backed attackers use ransomware as a decoy while they conduct espionage

They're not lying when they say 'We stole your data' – the lie is about which data they lifted


A state-sponsored Chinese threat actor has used ransomware as a distraction to help it conduct electronic espionage, according to security software vendor Secureworks.

The China-backed group, which Secureworks labels Bronze Starlight, has been active since mid-2021. It uses an HUI loader to install ransomware, such as LockFile, AtomSilo, Rook, Night Sky and Pandora. But cybersecurity firm Secureworks asserts that ransomware is probably just a distraction from the true intent: cyber espionage.

"The ransomware could distract incident responders from identifying the threat actors' true intent and reduce the likelihood of attributing the malicious activity to a government-sponsored Chinese threat group," the company argues.

Secureworks offers its distraction theory after observing Bronze Starlight deploying different ransomware variants for short periods of time – unusual behaviour, as ransomware gangs generally don't change their attacks unless it's necessary to retain their potency. The company also feels that frequent changes to the gang's ransomwares are a deterrent to researchers, who have little reason to analyze code that's not in use.

But the gang has changed its methods at least once, moving from "traditional ransomware" in which infections lead to a demand for payments, to a name-and-shame model in which the gang threatens to expose data if it is not paid.

"It is possible that the change provided a more plausible means of exfiltrating data. The threat actors may also have decided that the public profile would be more effective as a distraction from their true operational objectives," opined Secureworks.

Secureworks believes the group has infected 21 victims, 75 percent of which would be of interest to Beijing. Among its haul are pharmaceutical companies, electronic component designers and manufacturers, a US law firm, and an aerospace and defense division of an Indian conglomerate. But there were also some seemingly random victims – like a small interior design company in Europe and two US real estate companies.

Even if none yielded info Beijing wanted, the evil genius of this plan is that the gang may still have made a profit if victims paid the ransom. ®

Broader topics


Other stories you might like

  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • 'Prolific' NetWalker extortionist pleads guilty to ransomware charges
    Canadian stole $21.5m from dozens of companies worldwide

    A former Canadian government employee has pleaded guilty in a US court to several charges related to his involvement with the NetWalker ransomware gang.

    On Tuesday, 34-year-old Sebastien Vachon-Desjardins admitted he conspired to commit computer and wire fraud, intentionally damaged a protected computer, and transmitted a demand in relation to damaging a protected computer. 

    He will also forfeit $21.5 million and 21 laptops, mobile phones, gaming consoles, and other devices, according to his plea agreement [PDF], which described Vachon-Desjardins as "one of the most prolific NetWalker Ransomware affiliates" responsible for extorting said millions of dollars from dozens of companies worldwide.

    Continue reading

Biting the hand that feeds IT © 1998–2022