Cybersecurity researchers have discovered a ransomware attack that uses strategies similar to those employed by cyber-espionage operations and nation-state-backed hacking.
This campaign was uncovered when cyber thieves attempted to conduct a ransomware attack against an unnamed product safety testing organization. The attack was detected and stopped before it could succeed, but it gave enough information to cybersecurity researchers at eSentire for analyzing the strategies, techniques, and processes followed.
The security research team at eSentire found strange results, both in terms of the threat organization behind the assault and the tools and tactics involved in the attack.
The strategies employed in the attempted ransomware campaign were similar to those previously linked to state-backed Chinese cyber-attacks such as APT27, aka Emissary Panda.
Attackers used a new ransomware family dubbed ‘Hello Ransomware.’ The low quality of the ransomware, as well as the lack of any documented breaches by it, coupled with the attackers’ employment of infiltration and surveillance tactics, casts doubt whether ransomware is the operators’ primary objective.
“Or are the cyber criminals dropping ransomware into their target victims’ IT environment to simply distract from their real motive – cyber espionage?” eSentire said.
While none of this proves that those behind the ransomware are acting for or on behalf of China, it shows how cyber thieves may follow techniques of advanced government-backed hacking organizations to spread their malware.
SharePoint vulnerabilities and China Chopper were among the techniques used by the threat actors. While Chinese APT organizations primarily employ China Chopper, it is widely available and used by many other state-sponsored and independent attackers.
In addition to the use of exploits and the China Chopper technique, there are time delays between different attack stages. These time delays signal a human touch to carry out attacks. APT groups are famous for attacking this way.
Those behind ransomware may be staging a false flag operation, employing techniques that are known to be used by a specific process in the hopes of diverting attention away from them. It’s also pretty apparent that the methods are excellent in compromising networks, making them ideal for ransomware attacks.
Hello, like other ransomware, encrypts files and demands a ransom in return for the decryption key from victims. The extension it uses is “.hello.” The ransom notice is simple: a ransom note presented in Notepad instructing the victim to email the hackers to negotiate a settlement.
‘Hello’ ransomware doesn’t threaten to leak stolen data, nor does it operate based on a ransomware-as-a-service model. Despite this, the hands-on nature of the attacks suggests that whoever is behind Hello ransomware knows what they are doing.
Researchers even speculate that the malware was set up as a decoy while the foundations for something else were being constructed. The campaign is still a mystery.