Security researchers claim that cyber criminals who use tactics and tools previously associated with Chinese government-supported computer network intrusions have joined the cyber crime industry of ransomware.
Ransomware, that involves encrypting a target’s computer files and then demanding payment to unlock them, has generally been considered the domain of run-of-the-mill cyber criminals. Nevertheless, the security companies’ executives have seen a level of sophistication in at least a half dozen cases over the last three months akin to those used in state-sponsored attacks, including techniques to gain entry and move around the networks, as well as the software used to manage intrusions.
“It is obviously a group of skilled of operators that have some amount of experience conducting intrusions,” stated Phil Burdette, who heads an incident response team.
Phil Burdette and his team were called in on three cases in as many months where hackers spread ransomware after exploiting known vulnerabilities in application servers. From there, the hackers tricked more than 100 computers in each of the companies into installing the malicious programs.
Among the victims of ransomware were a transportation company and a technology firm which had 30% of its computers infected.
Security firms Attack Research, InGuardians and G-C Partners, said they had separately investigated three other similar ransomware attacks since December. The researchers concluded that behind the affected companies was a well-known advanced threat group from China.
The ransomware attacks have not previously been reported, and the companies which were victims of the hackers refused to be identified publicly.
The security experts have different theories about what is behind them, though they have not come to any final conclusions yet.
The theories follow the possibility that the Chinese government has reduced its support for economic espionage, which it pledged to oppose in an agreement with the United States last year. Some US companies have reported a decline in Chinese hacking since the agreement.
The researchers say that some government hackers or contractors could be out of work or with reduced work and looking to supplement their income via ransomware.
According to Burdette, the companies which had been penetrated for trade secrets or other reasons in the past were now being abandoned as China backs away, and the spies or their associates were taking as much as they could on the way out. In one of Dell’s cases, the means of access by the team spreading ransomware was established in 2013.
The security researchers could not completely rule out more prosaic explanations, such as the possibility that ordinary criminals had improved their skills and bought tools previously used only by governments.
According to Dell, some of the malicious software had been associated by other security firms with a group dubbed Codoso, which has a record of years of attacks of interest to the Chinese government, including those on US defence companies and websites which draw Chinese minorities
Ransomware has been around for years, spread by some of the same people who previously installed fake antivirus programs on home computers and badgered the victims into paying to remove imaginary threats.
During the past two years, better encryption techniques have often made it impossible for users to regain access to their files without cooperation from the hackers. Most ransomware payments are made in the virtual currency Bitcoin and remain secret, but institutions including a Los Angeles hospital have gone public about ransomware attacks.
The creators of ransomware often set low prices which most victims are willing to pay, and they usually do decrypt the files, which ensures that victims will post positively online about the transaction, making the next victims who research their predicament more willing to pay.
However, the security companies have warned that because the aggregate payoffs for ransomware gangs are increasing, more hackers will shift to it from credit card theft and other complicated scams.
