China government-linked hackers caught running a seriously dangerous ransomware scam

A group of 7 hackers, 6 slightly blurred in the background and one in the foreground, all wearing black with hoods pulled up over their heads. You cannot see their faces. The hacker in the foreground sits with an open laptop in front of them. The background, behind the hackers, is a Chinese flag
(Image credit: Getty Images)

  • Symantec researchers observed Chinese state-sponsored threat actors running ransomware against an Asian software and services firm
  • They claim it's highly unusual activity for state attackers
  • The attackers demanded $2 million in ransom

Emperor Dragonfly, a known Chinese state-sponsored threat actor, recently did something unusual - it deployed a ransomware encryptor on a target’s network.

A report from Symantec’s Threat Hunter Team, which observed the attack in late 2024, noted how they had observed, on multiple occasions, the group doing what it usually does - side-loading malicious DLL files (via a legitimate Toshiba executable) to drop backdoors and establish persistence. The goal was, as it’s usual with state-sponsored attackers, cyber-espionage.

The victims were mostly foreign ministries of eastern European countries, and similar state agencies. But then, in late 2024, Emperor Dragonfly was seen using the same method to establish persistence - and then drop a ransomware payload - against an Asian software and services company. The group used the RA World ransomware variant, and demanded $2 million in ransom ($1 million if paid within three days).

A distraction

For Chinese state-sponsored threat actors, this is highly unusual, Symantec says. North Korean actors are often engaged in ransomware and are using the stolen money to fund their state agencies and weapons programs. The Chinese, however, are more interested in cyber-espionage. That being said, Symantec suspects that the ransomware attack, in this case, may have been a distraction, to hide the tracks of a larger operation - most likely an espionage one.

The initial attack vector was not disclosed, but the hackers did state that they abused a known Palo Alto PAN-OS vulnerability (CVE-2024-0012) to breach the infrastructure. “The attacker then said administrative credentials were obtained from the company’s intranet before stealing Amazon S3 cloud credentials from its Veeam server, using them to steal data from its S3 buckets before encrypting computers,” the researchers explained.

The final step was using the same DLL side-loading methodology.

You might also like

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
China
Chinese hackers develop effective new hacking technique to go after business networks
China
Microsoft says Chinese Silk Typhoon hackers are targeting cloud and IT apps to steal business data
A person at a laptop with a cybersecure lock symbol floating above it.
Cybercrime gang targets victims with "triple threat" attacks
Ransomware attack on a computer
Ransomware attacks surged in 2024 as hackers looked to strike faster than ever
Ransomware
Healthcare firms targeted by all-new ransomware strain
Flags of Iran, China, Russia and North Korea on a wall. China North Korea Iran Russia alliance
Cybercrime is helping fund rogue nations across the world - and it's only going to get worse, Google warns
Latest in Security
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Latest in News
Disney Plus logo with popcorn
You can finally tell Disney+ to stop bugging you about that terrible Marvel show you regret starting
Girl wearing Meta Quest 3 headset interacting with a jungle playset
Latest Meta Quest 3 software beta teases a major design overhaul and VR screen sharing – and I need these updates now
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Hatch Restore 3 in Putty
You can finally start your day with The Office theme song, and I couldn't be more excited
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space