China government-linked hackers caught running a seriously dangerous ransomware scam

News
By published

Emperor Dragonfly was seen deploying ransomware, but why?

A group of 7 hackers, 6 slightly blurred in the background and one in the foreground, all wearing black with hoods pulled up over their heads. You cannot see their faces. The hacker in the foreground sits with an open laptop in front of them. The background, behind the hackers, is a Chinese flag
(Image credit: Getty Images)
  • Symantec researchers observed Chinese state-sponsored threat actors running ransomware against an Asian software and services firm
  • They claim it's highly unusual activity for state attackers
  • The attackers demanded $2 million in ransom

Emperor Dragonfly, a known Chinese state-sponsored threat actor, recently did something unusual - it deployed a ransomware encryptor on a target’s network.

A report from Symantec’s Threat Hunter Team, which observed the attack in late 2024, noted how they had observed, on multiple occasions, the group doing what it usually does - side-loading malicious DLL files (via a legitimate Toshiba executable) to drop backdoors and establish persistence. The goal was, as it’s usual with state-sponsored attackers, cyber-espionage.

The victims were mostly foreign ministries of eastern European countries, and similar state agencies. But then, in late 2024, Emperor Dragonfly was seen using the same method to establish persistence - and then drop a ransomware payload - against an Asian software and services company. The group used the RA World ransomware variant, and demanded $2 million in ransom ($1 million if paid within three days).

A distraction

For Chinese state-sponsored threat actors, this is highly unusual, Symantec says. North Korean actors are often engaged in ransomware and are using the stolen money to fund their state agencies and weapons programs. The Chinese, however, are more interested in cyber-espionage. That being said, Symantec suspects that the ransomware attack, in this case, may have been a distraction, to hide the tracks of a larger operation - most likely an espionage one.

The initial attack vector was not disclosed, but the hackers did state that they abused a known Palo Alto PAN-OS vulnerability (CVE-2024-0012) to breach the infrastructure. “The attacker then said administrative credentials were obtained from the company’s intranet before stealing Amazon S3 cloud credentials from its Veeam server, using them to steal data from its S3 buckets before encrypting computers,” the researchers explained.

The final step was using the same DLL side-loading methodology.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.