Hackers Linked to the Chinese Government Discovered Operating a Dangerous Ransomware Scheme.

Security researchers have detected unusual activity from a state-sponsored threat group known as Emperor Dragonfly. This group has executed a ransomware attack against a software and services company in Asia, demanding a ransom of $2 million, which is reduced to $1 million if paid within three days.

Symantec's threat-hunting team observed this activity in late 2024 when the group employed techniques typically used for cyber espionage. Normally, their attacks target government agencies in Eastern Europe, utilizing malicious DLL files to establish backdoors and maintain persistent access to networks.

However, on this occasion, the group implemented a ransomware encryptor after using the same approach to infiltrate the Asian company's systems. They used the RA World ransomware variant, marking a significant shift in their modus operandi, as such tactics are usually more common among North Korean actors who fund their state operations through ransomware.

It is possible that the ransomware attack was a distraction tactic to cover a broader espionage operation. Although the initial attack vector was not disclosed, it was confirmed that the attackers exploited a known vulnerability in Palo Alto's PAN-OS (CVE-2024-0012). Subsequently, they obtained administrative credentials from the company's intranet and stole Amazon S3 cloud credentials from their Veeam server before encrypting the devices.

To carry out the attack, they employed a procedure similar to what they have regularly used, utilizing the DLL side-loading technique.