Thursday, April 10, 2025
HomeCyber CrimeChinese Hacker Groups Using Off-The-Shelf Tools To Deploy Ransomware

Chinese Hacker Groups Using Off-The-Shelf Tools To Deploy Ransomware

Published on

SIEM as a Service

Follow Us on Google News

Cyberespionage actors are increasingly using ransomware as a final attack stage for financial gain, disruption, or to cover their tracks, as the report details previously undisclosed attacks by a suspected Chinese APT group, ChamelGang, who used CatB ransomware against a major Indian healthcare institution and the Brazilian Presidency in 2022.

ChamelGang also targeted other government and critical infrastructure organizations.

Another intrusion cluster using common encryption tools like BestCrypt and BitLocker hit various industries across North America, South America, and Europe, with a focus on US manufacturing.

- Advertisement - Google News

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

While the source of this second cluster is unclear, there are overlaps with past intrusions linked to suspected Chinese and North Korean APT groups. 

BestCrypt & BitLocker targets

Researchers analyzed two APT clusters targeting governments and critical infrastructure sectors globally between 2021 and 2023. One cluster is linked to ChamelGang, a suspected Chinese APT group. 

In 2023, ChamelGang targeted a government organization in East Asia and an aviation organization in the Indian subcontinent, using their known tools and techniques. 

They are also suspected to be behind the 2022 ransomware attacks on the Presidency of Brazil and the All India Institute of Medical Sciences, likely using their CatB ransomware, which is based on overlaps in code, staging mechanisms, and malware artifacts with other ChamelGang intrusions.  

There were intrusions between 2021 and 2023, during which attackers abused legitimate disk encryption tools, Jetico BestCrypt and Microsoft BitLocker, to encrypt victim endpoints for ransom. Thirty-seven organizations, primarily in North America’s manufacturing sector, were affected. 

The attackers leveraged compromised access to deploy the encryption tools, impacting the education, finance, healthcare, and legal sectors as well.

Cyberespionage actors are increasingly using ransomware for more than just financial gain, while the data encryption can destroy forensic artifacts, hindering attribution and deflecting blame. 

Additionally, the urgency of data recovery can distract security teams, allowing further espionage activities to go unnoticed, and this convergence of cybercrime and espionage tactics creates challenges. 

Siloed information sharing between law enforcement (ransomware focus) and intelligence agencies (espionage focus) can lead to missed opportunities to identify threats, assess risks, and maintain a clear understanding of the overall cyber landscape. 

SentinelLabs stresses collaboration on cybercrime/espionage incidents, which includes sharing data, examining artifacts, and analyzing the bigger picture of ransomware attacks by improving the identification of attackers, their goals, and motivations.

They are actively tracking cyberespionage groups that blur the lines between traditional categories and aim to share knowledge to help organizations defend against these threats.

Stay in the loop with the latest in cybersecurity by following us on Linkedin and X for daily updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Hackers Claim WooCommerce Breach Exposing 4.4 Million Customer Records

A hacker operating under the alias “Satanic” has claimed responsibility for a massive data...

TP-Link Smart Hub Flaw Exposes Users’ Wi-Fi Credentials

A critical vulnerability has been discovered in TP-Link’s Smart Hub, potentially exposing users’ Wi-Fi...

APT32 Turns GitHub into a Weapon Against Security Teams and Enterprise Networks

Southeast Asian Advanced Persistent Threat (APT) group OceanLotus, also known as APT32, has been...

AkiraBot Floods 80,000 Sites After Outsmarting CAPTCHAs and Slipping Past Network Defenses

AkiraBot, identified by SentinelLABS, represents a sophisticated spam bot framework that targets website chats...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Hackers Claim WooCommerce Breach Exposing 4.4 Million Customer Records

A hacker operating under the alias “Satanic” has claimed responsibility for a massive data...

TP-Link Smart Hub Flaw Exposes Users’ Wi-Fi Credentials

A critical vulnerability has been discovered in TP-Link’s Smart Hub, potentially exposing users’ Wi-Fi...

APT32 Turns GitHub into a Weapon Against Security Teams and Enterprise Networks

Southeast Asian Advanced Persistent Threat (APT) group OceanLotus, also known as APT32, has been...