Cyberespionage actors have been found to increasingly utilize ransomware as a final tactic to either secure financial gain, create disruption, or even to conceal their tracks. A recent report has shed light on undisclosed attacks orchestrated by a suspected Chinese APT group known as ChamelGang, who employed CatB ransomware against a major Indian healthcare institution and the Brazilian Presidency in the year 2022.

ChamelGang’s targets were not limited to just healthcare institutions and presidential offices, as they also set their sights on numerous government bodies and critical infrastructure organizations. Furthermore, another group of cyber intruders, using popular encryption tools such as BestCrypt and BitLocker, carried out attacks across North America, South America, and Europe, with a primary focus on the manufacturing sector in the United States.

While the origins of this second cluster remain unclear, there have been similarities observed with previous cyber intrusions that have been attributed to suspected Chinese and North Korean APT groups. Researchers have closely examined two APT clusters that targeted various global governments and critical infrastructure sectors between the years 2021 and 2023. One of these clusters has been linked back to ChamelGang, which is a reputed Chinese APT group.

In the year 2023, ChamelGang directed its attacks towards a government organization in East Asia and an aviation organization in the Indian subcontinent, deploying their established tools and techniques for these infiltrations. They are also believed to be the masterminds behind the ransomware assaults on the Presidency of Brazil and the All India Institute of Medical Sciences that took place in 2022. The use of their CatB ransomware in these attacks was inferred from similarities in code, staging methods, and malware artifacts observed in other instances of ChamelGang’s intrusions.

During the period spanning 2021 to 2023, cyber attackers exploited legitimate disk encryption tools like Jetico BestCrypt and Microsoft BitLocker to encrypt endpoints of their victims and demand ransom payments. A total of thirty-seven organizations, mostly within the manufacturing sector of North America, fell victim to these attacks. The consequences of these assaults extended to the education, finance, healthcare, and legal domains as well.

The deployment of ransomware by cyberespionage actors serves purposes beyond just monetary gain, as the encryption of data can result in the destruction of forensic evidence, thereby complicating the process of attribution and deflecting culpability. Moreover, the urgent requirement for data restoration can divert the attention of security teams, creating an opportunity for further espionage activities to be carried out discreetly. This convergence of cybercrime and espionage strategies presents a unique set of challenges in the realm of cybersecurity.

Efficient collaboration between law enforcement agencies, which often concentrate on ransomware incidents, and intelligence agencies, which take a deeper interest in espionage activities, is crucial to prevent missed opportunities for threat identification, risk assessment, and a comprehensive understanding of the overall cyber landscape. SentinelLabs advocates for a coordinated effort in dealing with cybercrime and espionage incidents, emphasizing the importance of data sharing, artifact analysis, and a holistic approach to unraveling ransomware attacks for the purpose of identifying attackers and understanding their motives.

They are actively engaged in monitoring cyberespionage groups that tend to blur the boundaries between traditional classifications, with the intent of offering valuable insights to aid organizations in fortifying their defenses against such threats. To stay updated on the latest developments in the field of cybersecurity, be sure to follow us on Linkedin and X for timely updates on a daily basis.

Извор линк