Israeli Sygnia links 2 ransomware groups to Chinese threat actor ‘Emperor Dragonfly’
Sygnia, an Israeli incident response and cybersecurity consulting firm, released a new report earlier this month revealing that attacks by ransomware groups Night Sky and Cheerscrypt came from the same threat actor, dubbed ” Emperor Dragonfly” by the company. This discovery reaffirms that new methodologies implemented by industry threat actors appear as several smaller groups in order to avoid discovery.
While investigating an incident involving Cheerscrypt, a largely unknown ransomware group, Sygnia’s IR team detected that the tactics, techniques and procedures (TTPs) used strongly resembled those of another known ransomware group, Night Sky.
The fact that Night Sky’s Indicators of Compromise (IOC) had been identified, but Cheerscrypt ransomware had been deployed, prompted Sygnia’s IR team to dig deeper into Cheerscrypt’s origins. As a result, Sygnia became the first to identify Cheerscrypt, like Night Sky, as another ransomware family developed by Emperor Dragonfly.
In January 2022, hackers compromised a VMware Horizon server by exploiting the Log4Shell vulnerability. From there, threat actors increased their presence in the network and moved laterally by executing code remotely and deploying Cobalt Strike beacons.
After a months-long waiting period, threat actors used the open-source command-line tool Rclone to exfiltrate sensitive information to the cloud storage service and deliver the final payload: Cheerscrypt ransomware. Although most publications describe Cheerscrypt as a Linux-based ransomware family that targets ESXi servers, in the case investigated by Sygnia, both Windows and ESXi machines were encrypted.
Unlike other ransomware groups, Emperor Dragonfly, also known as DEV-0401/ BRONZESTARLIGHT, does not operate on an affiliate model and refrains from purchasing initial access from other players. the threat. Instead, the group manages all stages of the attack lifecycle itself.
The group also rebrands its ransomware payloads every few months, which helps them stay under the radar, unlike other notorious groups that act to build their reputation. And although Cheerscrypt presents itself as pro-Ukrainian, in the incident threat actors deployed open-source tools written by Chinese developers for Chinese users, bolstering previous claims that Emperor’s operators Dragonfly are based in China.
“In the world of ransomware affiliates and ransomware source code leaks, it’s often difficult to connect two strains of ransomware to a single threat actor,” said Amnon Kushnir, Incident Response and Security Team Lead. hunt for threats at Sygnia. “This discovery is critical to helping our customers better scan their networks for traces of the threat cluster in a rapidly changing landscape, as well as better defend their systems against Emperor Dragonfly and similar threats.”