State-aligned APT groups are increasingly deploying ransomware – and that’s bad news for everyone

There was a time when the boundary between cybercrime and state-aligned threat activity was rather easy to discern. Cybercriminals were fuelled solely by the profit motive. And their counterparts in the government carried out mainly cyberespionage campaigns, plus the occasional destructive attack, to further their employers’ geopolitical goals. However, in recent months, this line has begun to dissolve, including when it comes to ransomware, a trend also noted by ESET’s latest Threat Report.

This has potentially major implications for IT and security leaders – not only increasing the risk of attack, but also changing the calculus around how to mitigate that risk.

Blurred lines in cyberspace

You could argue that ransomware attacks launched by state-sponsored hackers is, in fact, nothing new. In 2017, North Korea-affiliated operatives are thought to have launched WannaCry (aka WannaCryptor), the first ever global ransomworm. It was only halted after a security researcher stumbled upon and activated a “kill switch” hidden in the malicious code. In the same year, state-sponsored hackers launched the NotPetya campaign against Ukrainian targets, although in this case it was actually destructive malware disguised as ransomware in order to throw investigators off the scent. In 2022, ESET observed the Russian Sandworm group using ransomware in a similar way: as a data wiper.

The line between state-backed operations and financially motivated crime has been blurring ever since. As we also noted a while back, many dark web vendors sell exploits and malware to state actors, while some governments hire freelance hackers to help with certain operations.

What’s happening today?

However, these trends appear to be accelerating. Specifically in recent past, ESET and others have observed several apparent motives:

Ransomware to fill state coffers

Government hackers are deliberately using ransomware as a money-making tool for the state. This is most obvious in North Korea, where threat groups also target cryptocurrency firms and banks with sophisticated mega-heists. In fact, it’s believed they made about $3bn in illicit profits from this activity between 2017 and 2023.

In May 2024, Microsoft observed Pyongyang-aligned Moonstone Sleet deploying custom ransomware dubbed “FakePenny” on the next works of several aerospace and defense organizations, after first stealing sensitive information. “This behavior suggests the actor had objectives for both intelligence gathering and monetization of its access,” it said.

North Korean group Andariel is also suspected to have provided initial access and/or affiliate services to the ransomware group known as Play. That’s because Play ransomware was spotted in a network previously compromised by Andariel.

Making money on the side

Another motive for state involvement in ransomware attacks is to let government hackers earn some money from moonlighting. One example is Iranian group Pioneer Kitten (aka Fox Kitten, UNC757 and Parisite) which has been spotted by the FBI “collaborating directly with ransomware affiliates to enable encryption operations in exchange for a percentage of the ransom payments.”

It worked closely with NoEscape, Ransomhouse, and ALPHV (aka BlackCat) – not only providing initial access, but also helping to lock down victim networks and collaborate on ways to extort victims.

Throwing investigators off the scent

State-linked APT groups are also using ransomware to cover up the true intent of attacks. This is what the China-aligned ChamelGang (aka CamoFei) is believed to have done in multiple campaigns targeting critical infrastructure organizations in East Asia and India, as well as the US, Russia, Taiwan and Japan. Using the CatB ransomware in this way not only provides cover for these cyber-espionage operations, but also enables operatives to destroy evidence of their data theft.

Does attribution matter?

It’s obvious why government-backed groups are using ransomware. At the very least, it provides them with a useful cover of plausible deniability which can confuse investigators. And in many cases, it does so while increasing state revenue and helping to motivate government-employed hackers who are often little more than poorly paid civil servants. The big question is whether it really matters who is doing the attacking? After all, Microsoft has even uncovered evidence of government agencies outsourcing work wholesale – although in the case of Storm-2049 (UAC-0184 and Aqua Blizzard, no ransomware was involved.

There are two schools of thought here. On the one hand, best practice security advice should still ring true – and be an effective way to build resilience and accelerate incident response—whoever is doing the attacking. In fact, if state-aligned APT groups end up using cybercrime tactics, techniques and procedures (TTPs), this may even benefit network defenders, as these are likely to be easier to detect and defend against than sophisticated custom tools.

However, there’s also an argument for saying that understanding one’s adversary is the essential first step to managing the threat they pose. This is explained in the 2023 research report, Cyber Attacker Profiling for Risk Analysis Based on Machine Learning: “One of the essential components of cyber security risk analysis is an attacker model definition. The specified attacker model, or attacker profile, affects the results of risk analysis, and further the selection of the security measures for the information system.”

Fighting back

That said, if you don’t know the identity of your adversary, there are still ways to mitigate the impact of their ransomware attacks. Here are 10 best practice steps:

• Tackle social engineering with updated security training and awareness programs
• Ensure accounts are protected with long, strong and unique passwords and multifactor authentication (MFA)
• Segment networks to reduce the “blast area” of attacks and limited lateral movement
• Deploy continuous monitoring (endpoint detection and response or managed detection and response) to identify suspicious behavior early on
• Regular test the effectiveness of security controls, policies and processes to drive continuous improvement
• Deploy advanced vulnerability and patch management tools

Ensure all sensitive assets are protected by multi-layered security software from a reputable supplier, including for desktops, servers and laptops/mobile devices

• Invest in threat intelligence from a trusted partner
• Perform regular backups in line with best practice
• Devise an effective incident response strategy and practice periodically

According to one estimate, organized crime accounted or 60% of data breaches last year, versus just 5% attributed to nation states. But the latter share is growing, and the breaches themselves could have an outsized impact on your organization. Continued awareness and proactive risk management are essential.