New report unveils cyberespionage groups using ransomware for evasion and profit
The integration of ransomware by cyberespionage groups underscores the evolving and complex nature of contemporary cyber threats.
A recent report from SentinelLabs and Recorded Future analysts contends that cyberespionage groups have increasingly turned to ransomware as a strategic tool to complicate attribution, divert attention from defenders, or as a secondary objective for financial gain alongside data theft.
The report specifically sheds light on the activities of ChamelGang, a suspected Chinese advanced persistent threat (APT) group that uses the CatB ransomware strain in attacks targeting prominent organisations globally. Operating under aliases like CamoFei, ChamelGang has targeted mostly governmental bodies and critical infrastructure entities, operating mostly from 2021 to 2023.
Employing sophisticated tactics for initial access, reconnaissance, lateral movement, and data exfiltration, ChamelGang executed a notable attack in November 2022 on the Presidency of Brazil, compromising 192 computers. The group leveraged standard reconnaissance tools to map the network and identify critical systems before deploying CatB ransomware, leaving ransom notes with contact details and payment instructions on encrypted files. While initially attributed to TeslaCrypt, new evidence points to ChamelGang’s involvement.
In a separate incident, ChamelGang targeted the All India Institute Of Medical Sciences (AIIMS), disrupting healthcare services with CatB ransomware. Other suspected attacks on a government entity in East Asia and an aviation organisation in the Indian subcontinent share similarities in tactics, techniques, and procedures (TTPs) and the use of custom malware like BeaconLoader.
These intrusions have impacted 37 organisations, primarily in North America, with additional victims in South America and Europe. Moreover, analysis of past cyber incidents reveals connections to suspected Chinese and North Korean APTs.
Why does it matter?
The integration of ransomware into cyberespionage operations offers strategic advantages, blurring the lines between APT and cybercriminal activities to obfuscate attribution and mask data collection efforts. The emergence of ChamelGang in ransomware incidents stresses adversaries’ evolving tactics to achieve their objectives while evading detection.
About author
DW Team
The GIP Digital Watch Observatory team, consisting of over 30 digital policy experts from around the world, excels in the fields of research and analysis on digital policy issues. The team is backed by the creative prowess of Creative Lab Diplo and the technical expertise of the Diplo tech team.