- Symantec researchers observed the threat actors sponsored by the Chinese State that execute ransomware against a software and Asian services firm
- They claim that it is a very unusual activity for state attackers.
- The attackers demanded $ 2 million in rescue
Emperor Dragonfly, a well -sponsored state -sponsored threat actor, recently did something unusual: he displayed a ransomware encryption on the network of a goal.
A report by the Symantec threat hunter team, which observed the attack in the late 2024 legitimate of Toshiba) to drop the rear doors and establish persistence. The objective was, as usual with the attackers sponsored by the State, the cybernetic character.
The victims were mostly foreign ministries from Eastern European countries and similar state agencies. But then, at the end of 2024, Emperor Dragonfly was seen using the same method to establish persistence, and then eliminate a ransomware payload, against an Asian software and services company. The group used Ransomware Rans Ransomware and demanded $ 2 million in rescue ($ 1 million if paid within three days).
A distraction
For threat actors sponsored by the Chinese state, this is very unusual, says Symantec. North Korea actors are often dedicated to ransomware and are using stolen money to finance their state agencies and weapons programs. The Chinese, however, are more interested in the cyber vacuum cleaner. That said, Symantec suspects that the ransomware attack, in this case, may have been a distraction, to hide the clues of a larger operation, most likely one of espionage.
The initial attack vector was not revealed, but the computer pirates said they abused a well-known vulnerability of Palo Alto Pan -os (CVE-2024-0012) to violate the infrastructure. “The attacker said that administrative credentials were obtained from the company’s intranet before stealing the credentials of the Amazon S3 cloud of his Veeam server, using them to steal data from their S3 cubes before encrypting computers,” explained the researchers .
The final step was to use the same DLL lateral load methodology.
