This new tactic throws threat researchers off and makes their work much more arduous and uncertain
In the world of ransomware affiliates and leaked ransomware source code, it is often difficult to connect two ransomware strains with one threat actor.
Recently, threat researchers happened to pull off this feat while investigating an incident involving the largely unknown ransomware group, Cheerscrypt, whose tactics, techniques and procedures (TTPs) were found to resemble most of that used by another known ransomware group, Night Sky.
As Night Sky is part of the ransomware family run by China-linked Emperor Nightfly (also known as DEV-0401/ BRONZESTARLIGHT), Cheerscrypt’s origins were thereby established. Although most publications have so far described Cheerscrypt as a Linux-based ransomware family that targets ESXi servers, in a Jan 2022 incident, both Windows and ESXi machines were encrypted—an Emperor Nightfly characteristic. Further TTP characteristics analyzed pointed even more firmly in the direction of China-based threat group.
Unlike other ransomware groups, Emperor Dragonfly does not operate in an affiliate model, and they refrain from purchasing initial access from other threat actors. The group also rebrands its ransomware payloads every few months to stay under the radar, unlike other notorious groups that want to build up their reputations.
Threat researchers also noted that, despite Cheerscrypt actors presenting themselves as pro-Ukrainian, they were deploying open source tools written by Chinese developers for Chinese users. This reinforces their link with Emperor Dragonfly, whose operators are based in China.
According to Amnon Kushnir, Incident Response and Threat Hunting Team Leader, Sygnia, which conducted the threat research, the findings reaffirm that large threat groups are using newer methodologies to appear as several, smaller groups in order to avoid discovery, which is “crucial in helping our clients to better search their networks for traces of the threat group in a rapidly-changing landscape, as well as better defend their systems against Emperor Dragonfly and similar threats.”