Chinese hackers are increasingly deploying ransomware, researchers say

Chinese-linked cyberespionage campaigns are increasingly deploying ransomware as the final stage in operations to either make money, distract their adversaries or make it more difficult to attribute their work, researchers with SentinelLabs and Recorded Future said Wednesday. 

Historically, cyberespionage groups working on behalf of states have mostly eschewed the use of ransomware, but that appears to now be changing as state-backed hackers are increasingly using the epidemic of ransomware to hide their operations. According to Wednesday’s report, apparent ransomware attacks against the Brazilian presidency and the All India Institute of Medical Sciences (AIIMS), carried out in 2022 and so far unattributed, were in fact the work of a suspected Chinese-linked cyberespionage operation tracked as ChamelGang, or CamoFei. 

Cyberespionage disguised as ransomware provides “an opportunity for adversarial countries to claim plausible deniability by attributing the actions to independent cybercriminal actors rather than state-sponsored entities,” SentinelLabs Senior Threat Researcher Aleksandar Milenkoski and Recorded Future Senior Threat Researcher Julian-Ferdinand Vögele write in the report.  

Misattributing cyberespionage as purely financially motivated cybercrime can also have strategic repercussions, the researchers said, particularly in cases where supposed ransomware attacks target government or critical infrastructure organizations.

Ransomware attacks typically lock files and data, with attackers only making them available after a ransom is paid. Other times, ransomware operators never decrypt the data in question, turning a ransomware attack into a destructive attack. In the aftermath of such an attack, the onus is typically on getting systems back online and restoring encrypted data to the greatest extent possible. That plays into the hands of cyberespionage groups, who can masquerade as destructive ransomware operators and carry out attacks that destroy intrusion-related artifacts, making it difficult to attribute their operations. 

Police in Delhi called the November 2022 AIIMS attack an act of “cyber terrorism,” Indian media reported at the time, with anonymous government officials there saying the attack was carried out “by the Chinese” and represented a possible “hostile cross-border attack.”

The Indian and Brazilian embassies in Washington, D.C., did not respond to a request for comment ahead of the report’s release.

Liu Pengyu, spokesman for the Chinese Embassy in Washington, D.C., told CyberScoop in an email that China “firmly opposes and combats cyber attacks and cyber theft in all forms.” 

“Given the virtual nature of cyberspace and the fact that there are all kinds of online actors who are difficult to trace, identifying the source of cyber attacks is a complex technical issue,” Pengyu said. “We hope that relevant sides will adopt a professional and responsible attitude and underscore the importance to have enough evidence when identifying cyber-related incidents, rather than make groundless speculations and allegations.”

The report that Chinese hackers are increasingly using ransomware comes as top U.S. officials continue to sound the alarm about what they say is aggressive Chinese prepositioning of cyber capabilities in sensitive U.S. civilian networks that would typically have no obvious espionage value. That activity, tracked publicly as Volt Typhoon, is designed to influence U.S. decision-making in the event of a conflict, officials have said. 

The use of ransomware by Chinese-linked cyber operations is not unprecedented. Researchers with Mandiant have previously detailed activities tracked as APT41, which include state-sponsored espionage activity as well as “financially-motivated activity potentially outside of state control.” Researchers with Secureworks have also documented Chinese-linked intellectual property theft activity with ransomware deployment, as has Microsoft.

Russian military intelligence has also used disruptive and destructive malware — including ransomware — during its ongoing assault on Ukraine, according to a July 2023 analysis from Mandiant. Ransomware temporarily misdirects attribution and amplifies the psychological aspect of a given operation, the researchers said, and allows the GRU to “more rapidly replenish its arsenal with new, undetected disruptive tools than it could have by developing them in-house.”

Ransomware as part of state-aligned operations could also be useful as a smoke screen of sorts that serves a variety of goals, said Ben Carr, chief security and trust officer with Halcyon. 

“Part of it is to do with intelligence gathering, understanding what could they do if they really wanted to do something potentially much more malicious. How would that look?” Carr said. “It’s almost wargaming, in essence.”

Wednesday’s report also includes analysis of a separate cluster of cyberespionage-related activity using off-the-shelf tools that targeted U.S. manufacturers and a variety of industries in North and South America and in Europe. The attribution on the second cluster is less clear, the researchers said, but has some overlap with past Chinese and North Korean-linked activity.