Chinese Hacker Groups Using Off-The-Shelf Tools To Deploy Ransomware

Cyberespionage actors are increasingly using ransomware as a final attack stage for financial gain, disruption, or to cover their tracks, as the report details previously undisclosed attacks by a suspected Chinese APT group, ChamelGang, who used CatB ransomware against a major Indian healthcare institution and the Brazilian Presidency in 2022.

ChamelGang also targeted other government and critical infrastructure organizations.

Another intrusion cluster using common encryption tools like BestCrypt and BitLocker hit various industries across North America, South America, and Europe, with a focus on US manufacturing.

Scan Your Business Email Inbox to Find Advanced Email Threats - Try AI-Powered Free Threat Scan

While the source of this second cluster is unclear, there are overlaps with past intrusions linked to suspected Chinese and North Korean APT groups. 

Researchers analyzed two APT clusters targeting governments and critical infrastructure sectors globally between 2021 and 2023. One cluster is linked to ChamelGang, a suspected Chinese APT group. 

In 2023, ChamelGang targeted a government organization in East Asia and an aviation organization in the Indian subcontinent, using their known tools and techniques. 

They are also suspected to be behind the 2022 ransomware attacks on the Presidency of Brazil and the All India Institute of Medical Sciences, likely using their CatB ransomware, which is based on overlaps in code, staging mechanisms, and malware artifacts with other ChamelGang intrusions.  

There were intrusions between 2021 and 2023, during which attackers abused legitimate disk encryption tools, Jetico BestCrypt and Microsoft BitLocker, to encrypt victim endpoints for ransom. Thirty-seven organizations, primarily in North America’s manufacturing sector, were affected. 

The attackers leveraged compromised access to deploy the encryption tools, impacting the education, finance, healthcare, and legal sectors as well.

Cyberespionage actors are increasingly using ransomware for more than just financial gain, while the data encryption can destroy forensic artifacts, hindering attribution and deflecting blame. 

Additionally, the urgency of data recovery can distract security teams, allowing further espionage activities to go unnoticed, and this convergence of cybercrime and espionage tactics creates challenges. 

Siloed information sharing between law enforcement (ransomware focus) and intelligence agencies (espionage focus) can lead to missed opportunities to identify threats, assess risks, and maintain a clear understanding of the overall cyber landscape. 

SentinelLabs stresses collaboration on cybercrime/espionage incidents, which includes sharing data, examining artifacts, and analyzing the bigger picture of ransomware attacks by improving the identification of attackers, their goals, and motivations.

They are actively tracking cyberespionage groups that blur the lines between traditional categories and aim to share knowledge to help organizations defend against these threats.

Stay in the loop with the latest in cybersecurity by following us on Linkedin and X for daily updates!