Ransomware isn't always about the money: Government spies have objectives, too

Feature Ransomware gangsters and state-sponsored online spies fall on opposite ends of the cyber-crime spectrum.

The former move fast, make a lot of noise, and then intentionally draw attention to say "Hi, we've broken into your network," usually sending the victim some encrypted files and a ransom note.

The latter often play the long game, moving stealthily and making seemingly innocuous moves to maintain a silent presence on your network, allowing them to snoop for as long as possible.

As cybercriminals continue to reap the financial rewards of stealing sensitive data and locking up computer systems, however, government-backed crews are moving in on the ransomware biz. Yet their motives aren't strictly profit-oriented.

Online spies tend to vary country by country, and this is especially true when it comes to China, Russia, Iran, and North Korea. These are the four countries posing the biggest cyber risk to Western nations.

The spy who pwned me

While infosec analysts say it's hard to generalize about the motivations of state-sponsored attackers who also deploy ransomware, there are some trends they have observed among the big four.

However, sometimes these lines between criminals and spies blur, and Russia is probably the top example of this.

"One notable example is the RomCom group," ESET senior malware researcher Jakub Souček told The Register.

This group has links to the notorious Cuba ransomware, and infosec watchers had assumed a financially motivated crew was behind it.

Following Russia's invasion of Ukraine, however, the general consensus shifted as the group's targets became more geopolitical in nature, and a new wave of attacks beginning at least in 2023 compromised Ukrainian government entities.

One campaign used a fake copy of a Ukrainian army website to lure victims into downloading RomCom.

In its 2024 analysis of the group, Cisco's Talos threat hunters said the attackers have a two-pronged strategy: "establish long-term access and exfiltrate data for as long as possible to support espionage motives, and then potentially pivot to ransomware deployment to disrupt and likely financially gain from the compromise."

Asylum Ambuscade is another example of a group conducting both financially motivated break-ins and espionage activity.

"Some threat actors operate at the intersection of cybercrime and state-sponsored espionage, leveraging their capabilities to achieve multiple objectives," Souček said. "This convergence naturally complicates attribution and response efforts."

Some threat actors operate at the intersection of cybercrime and state-sponsored espionage, leveraging their capabilities to achieve multiple objectives

Plus, some known Russia-aligned advanced persistent threat (APT) groups have been spotted deploying ransomware — or malware disguised as ransomware — for government purposes such as the ongoing Ukraine war.

Perhaps the best-known example of this is Sandworm, which Western government agencies have linked to Russia's GRU military intelligence unit.

Sandworm was behind a series of attacks leading up to the bloody invasion of Russia's neighboring country. In these, the crew deployed data-wiping malware on government and critical infrastructure networks designed to look like ransomware.

Years earlier, Sandworm had pulled a similar stunt with the notorious NotPetya attacks.

"The infamous Sandworm group has deployed wipers like Prestige and RansomBoggs against Ukrainian targets, disguising them as ransomware attacks," Souček said. "These attacks are intended to destroy data rather than extort money."

In these cases, the malware use is strategic, and being used to achieve a broader, political objective as opposed to extorting money from the victims."

Ransomware as distraction

"What we do know about APTs using ransomware: they use it as a distraction and not the actual means of the attack," according to a Recorded Future security analyst, who asked not to be named for personal safety reasons. "There's a few instances where we've seen this with Chinese APTs."

The analyst is referring to a series of ransomware attacks carried out over over a three-year period, which, Recorded Future and SentinelLabs have attributed to ChamelGang, a suspected Chinese-government backed group.

These attacks targeted the presidency of Brazil in 2022 using the CatB ransomware plus a government organization in East Asia. 

ChamelGang has also stolen data from government and private-sector firms in at least 10 other countries including the US, Russia, Japan and Taiwan.

"Ransomware can serve as a distraction or a means to obfuscate their true intentions, such as stealing intellectual property or gathering intelligence," Souček said. "At the same time, we have observed China-aligned APT groups going after money-making schemes as well."

Or to fund weapons programs

When it comes to governments purposefully using ransomware as a money-making endeavor, North Korea tops the list.

"North Korea is conducting ransomware attacks to get non-traceable cryptocurrency to fund their nuclear program," Grant Geyer, chief strategy officer at industrial network security firm Claroty, told The Register. 

Microsoft's threat intel team spotted newish North Korean government gang Moonstone Sleet deploying a custom ransomware variant FakePenny against aerospace and defense orgs last year — but after it had stolen data from these victims.

"This behavior suggests the actor had objectives for both intelligence gathering and monetization of its access" according to Microsoft, which said as much in its 2024 Digital Defense Report [PDF]. 

• Ransomware attack at New York blood services provider – donors turned away during shortage crisis
• Baguette bandits strike again with ransomware and a side of mockery
• If Ransomware Inc was a company, its 2024 results would be a horror show
• Another banner year for ransomware gangs despite takedowns by the cops

So while it's a slight deviation from Kim Jon Un's goons' typical crypto-heists, ransomware still aligns with Pyongyang's strategic interest: one of the ways it funds its weapons programs is via cyberattacks. 

Last year the United Nations investigated 58 suspected North Korean cyberattacks on cryptocurrency-related companies that raked in about $3 billion in illicit funds between 2017 and 2023.

Over the summer the FBI and CISA warned that Iran's Pioneer Kitten had been breaking into buggy VPNs and firewall devices to steal data and drop ransomware. But, according to the feds, this government-backed group's recent attacks were financially motivated — not state-sanctioned.

Because no one really wants the government taking a cut of their ill-gotten gains. ®