State-aligned Actors Are Increasingly Deploying Ransomware – And That’s Bad News For Everyone

Business Security

The blurring of lines betwixt cybercrime and state-sponsored attacks underscores nan progressively fluid and multifaceted quality of today’s cyberthreats

07 Jan 2025  •  , 5 min. read

There was a clip erstwhile nan bound betwixt cybercrime and state-aligned threat activity was alternatively easy to discern. Cybercriminals were fuelled solely by nan profit motive. And their counterparts successful nan authorities carried retired chiefly cyberespionage campaigns, positive nan occasional destructive attack, to further their employers’ geopolitical goals. However, successful caller months, this statement has begun to dissolve, including erstwhile it comes to ransomware, a inclination besides noted by ESET’s latest Threat Report.

This has perchance awesome implications for IT and information leaders – not only expanding nan consequence of attack, but besides changing nan calculus astir really to mitigate that risk.

Blurred lines successful cyberspace

You could reason that ransomware attacks launched by state-sponsored hackers is, successful fact, thing new. In 2017, North Korea-affiliated operatives are thought to person launched WannaCry (aka WannaCryptor), nan first ever world ransomworm. It was only halted aft a information interrogator stumbled upon and activated a “kill switch” hidden successful nan malicious code. In nan aforesaid year, state-sponsored hackers launched nan NotPetya campaign against Ukrainian targets, though successful this lawsuit it was really destructive malware disguised arsenic ransomware successful bid to propulsion investigators disconnected nan scent. In 2022, ESET observed nan Russian Sandworm group utilizing ransomware successful a akin way: arsenic a information wiper.

The statement betwixt state-backed operations and financially motivated crime has been blurring ever since. As we besides noted a while back, galore acheronian web vendors waste exploits and malware to authorities actors, while immoderate governments prosecute freelance hackers to thief pinch definite operations.

What’s happening today?

However, these trends look to beryllium accelerating. Specifically successful caller past, ESET and others person observed respective evident motives:

Ransomware to capable authorities coffers

Government hackers are deliberately utilizing ransomware arsenic a money-making instrumentality for nan state. This is astir evident successful North Korea, wherever threat groups besides target cryptocurrency firms and banks pinch blase mega-heists. In fact, it’s believed they made astir $3bn successful illicit profits from this activity betwixt 2017 and 2023.

In May 2024, Microsoft observed Pyongyang-aligned Moonstone Sleet deploying civilization ransomware dubbed “FakePenny” connected nan adjacent useful of respective aerospace and defense organizations, aft first stealing delicate information. “This behaviour suggests nan character had objectives for some intelligence gathering and monetization of its access,” it said.

North Korean group Andariel is besides suspected to person provided first access and/or connection services to nan ransomware group known arsenic Play. That’s because Play ransomware was spotted successful a web antecedently compromised by Andariel.

Making money connected nan side

Another motive for authorities engagement successful ransomware attacks is to fto authorities hackers gain immoderate money from moonlighting. One illustration is Iranian group Pioneer Kitten (aka Fox Kitten, UNC757 and Parisite) which has been spotted by nan FBI “collaborating straight pinch ransomware affiliates to alteration encryption operations successful speech for a percent of nan ransom payments.”

It worked intimately pinch NoEscape, Ransomhouse, and ALPHV (aka BlackCat) – not only providing first access, but besides helping to fastener down unfortunate networks and collaborate connected ways to extort victims.

Throwing investigators disconnected nan scent

State-linked APT groups are besides utilizing ransomware to screen up nan existent intent of attacks. This is what nan China-aligned ChamelGang (aka CamoFei) is believed to person done successful aggregate campaigns targeting captious infrastructure organizations successful East Asia and India, arsenic good arsenic nan US, Russia, Taiwan and Japan. Using nan CatB ransomware successful this measurement not only provides screen for these cyber-espionage operations, but besides enables operatives to destruct grounds of their information theft.

Does attribution matter?

It’s evident why government-backed groups are utilizing ransomware. At nan very least, it provides them pinch a useful screen of plausible deniability which tin confuse investigators. And successful galore cases, it does truthful while expanding authorities gross and helping to motivate government-employed hackers who are often small much than poorly paid civilian servants. The large mobility is whether it really matters who is doing nan attacking? After all, Microsoft has moreover uncovered grounds of authorities agencies outsourcing activity wholesale – though successful nan lawsuit of Storm-2049 (UAC-0184 and Aqua Blizzard, nary ransomware was involved.

There are 2 schools of thought here. On nan 1 hand, champion believe information proposal should still ringing existent – and beryllium an effective measurement to build resilience and accelerate incident response—whoever is doing nan attacking. In fact, if state-aligned APT groups extremity up utilizing cybercrime tactics, techniques and procedures (TTPs), this whitethorn moreover use web defenders, arsenic these are apt to beryllium easier to observe and take sides against than blase civilization tools.

However, there’s besides an statement for saying that knowing one’s adversary is nan basal first measurement to managing nan threat they pose. This is explained successful nan 2023 investigation report, Cyber Attacker Profiling for Risk Analysis Based connected Machine Learning: “One of nan basal components of cyber information consequence study is an attacker exemplary definition. The specified attacker model, aliases attacker profile, affects nan results of consequence analysis, and further nan action of nan information measures for nan accusation system.”

Fighting back

That said, if you don’t cognize nan personality of your adversary, location are still ways to mitigate nan effect of their ransomware attacks. Here are 10 champion believe steps:

• Tackle societal engineering pinch updated information training and consciousness programs
• Ensure accounts are protected pinch long, beardown and unsocial passwords and multifactor authentication (MFA)
• Segment networks to trim nan “blast area” of attacks and constricted lateral movement
• Deploy continuous monitoring (endpoint discovery and consequence aliases managed discovery and response) to place suspicious behaviour early on
• Regular trial nan effectiveness of information controls, policies and processes to thrust continuous improvement
• Deploy precocious vulnerability and spot management tools

Ensure each delicate assets are protected by multi-layered information package from a reputable supplier, including for desktops, servers and laptops/mobile devices

• Invest successful threat intelligence from a trusted partner
• Perform regular backups successful statement pinch champion practice
• Devise an effective incident consequence strategy and believe periodically

According to one estimate, organized crime accounted aliases 60% of information breaches past year, versus conscionable 5% attributed to federation states. But nan second stock is growing, and nan breaches themselves could person an outsized effect connected your organization. Continued consciousness and proactive consequence guidance are essential.