<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p>New research has discovered a number of ransomware attacks linked to APT27, a hacker group widely believed to be operating from China. <a href="https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf" rel="noopener" target="_blank">A report from Security Joes and Profero</a> has outlined its response to a ransomware incident involving the encryption of several core servers. During their analysis, researchers also found malware samples tied to a DRBControl backdoor campaign from earlier this year, which targeted major gaming companies worldwide. Two Chinese APT groups have been linked to the campaign: APT27 and Winnti.</p> <!--more--> <p>APT27, also known as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse, is an infamous hacker group that has targeted organizations around the world since 2013. What is interesting about this campaign is it is the first time that the hacker group, previously known for cyber operations focusing on intellectual property theft, is joining the ransomware business with a directly-financial goal.</p> <h3>&nbsp;</h3> <h3>Our analysis</h3> <p>In the recent ransomware incident analyzed, dubbed the "Clambling" sample, victim infection was done through a third-party service provider, which in turn had been infected through a different third-party service provider. Following the infection, a DBRControl backdoor, as well as a PlugX sample (very common among Chinese threat actors) were loaded in to memory using a Google Updater executable. This form of upload exploits the executable's vulnerability to DLL side-loading, a process during which a malicious DLL is used to spoof a legitimate one, then utilizing a legitimate Windows executables to execute malicious code. This sample did not use Dropbox as a C2 server like in the earlier DBRControl campaign, yet it is still quite versatile, allowing attackers to drop additional malware samples or execute commands through a reverse shell. In this incident, the attackers commanded BitLocker, a drive encryption tool built in to Windows, to encrypt core servers. An ASPXSpy webshell was also deployed in the attack, helping the campaign's lateral movement. During the same time period as this analysis, researchers at PTSecurity2 covered another ransomware attack linked to APT27, using the Polar ransomware variant.</p> <p>Security news website BleepingComputer mentions the key takeaway from these attacks as described by Daniel Bunce, Principal Security Analyst at Security Joes - the involvement of a cyberespionage group in a financially-driven campaign. This unlikely shift may very well be a heads up for the security industry. The Security Joes and Profero report suggests that with COVID-19 on the loose, and China currently under lockdown, such a switch to financial motives may not be so surprising.</p> <h2>&nbsp;</h2> <h3><span style="background-color: transparent; font-size: 1em;">The ThreatSTOP security research team is constantly researching new ransomware variants</span></h3> <p><span style="background-color: transparent; font-size: 1em;">We ensure that our solutions provide reliable protection against ransomware attacks. As part of our research, we’ve created an</span><span style="background-color: transparent; font-size: 1em;">&nbsp;</span><a href="https://info.threatstop.com/hubfs/ThreatSTOPs%20Ultimate%20Ransomware%20Guide%20for%20Higher%20Education.pdf" rel="noopener" target="_blank" style="font-size: 1em;">extensive ransomware guide</a><span style="background-color: transparent; font-size: 1em;"> </span><span style="background-color: transparent; font-size: 1em;">that you can use to:</span></p> <div> <ul> <li>Learn about ransomware types and attack vectors</li> <li>Review variant history and evolution</li> <li>Understand ransomware trends</li> <li>Know how to protect yourself from ransomware</li> </ul> <h2>&nbsp;</h2> <h3><span style="font-size: 16px;">View ThreatSTOP's Ultimate Ransomware Guide:</span><span id="hs-cta-wrapper-735d2014-baa6-4743-b787-b87e8e4bf0df"><span id="hs-cta-735d2014-baa6-4743-b787-b87e8e4bf0df" data-hs-drop="true"><a id="cta_button_2548414_b9c78cc6-d124-4d80-b18c-d17023c0cdfc" href="https://blog.threatstop.com/cs/c/?cta_guid=b9c78cc6-d124-4d80-b18c-d17023c0cdfc&amp;signature=AAH58kExGIeobEv1AxLfuBx5qSGfOWsOWg&amp;pageId=37945334491&amp;placement_guid=735d2014-baa6-4743-b787-b87e8e4bf0df&amp;click=e8bd9678-49c8-48e2-a540-239d9f30f535&amp;hsutk=2a9aeda665b36f5c6fbe8029aec8ae8b&amp;canon=https%3A%2F%2Fblog.threatstop.com%2Fransomware-threatens-online-learning&amp;utm_referrer=https%3A%2F%2Fblog.threatstop.com%2F&amp;portal_id=2548414&amp;redirect_url=APefjpEKSgth7K2E-nGGDWxqzCHjg1jwwvVO6bmP2Bx1HeXc8e06g8Q5-WImeMEYlSSVJc_ZMANw2L6WFBIwcLvl_v_4PKNxvvKbUloT1JnraTkyj0IpdC5ePmohLscj5ZiTgEblu0uRbEyHnoVI_wWtppjVZhXmDEHcV-qAkIrQkgYw_tNUCvsS31JG5-PyBAFWCg2XkkPO1975Ik5h4nImWFovJmd3kJgAux5Bd3iJWrZxyAt_F-I3Yo0yyDcV7LLC_4Tv3hz68-00nMAfPEAel_K3JeYLj74cB3CEPai-wKtzLzzZ7kyO8SIQCkDXONDsmNMVUtmTWGEgShEDIIB_Xs_XvGtzfzqPLeGXu-781-VyoFMXjOg&amp;__hstc=138000303.2a9aeda665b36f5c6fbe8029aec8ae8b.1527584604454.1611128202909.1611140588613.241&amp;__hssc=138000303.3.1611140588613&amp;__hsfp=816215447&amp;contentType=blog-post" cta_dest_link="https://info.threatstop.com/hubfs/ThreatSTOPs%20Ultimate%20Ransomware%20Guide%20for%20Higher%20Education.pdf" title="DOWNLOAD GUIDE"></a></span></span></h3> <p></p> <p>&nbsp;</p> <div> <h3><span style="font-size: 16px;"><em>It takes less than an hour to install ThreatSTOP, and the security benefits are immediately visible. Join the movement of companies blocking attackers instead of just their threats.&nbsp;</em></span></h3> <p><strong></strong></p> </div> </div></span>