Chinese Threat Groups That Use Ransomware and Ransomware Groups That Use Chinese Names
Chinese threat groups are increasingly deploying ransomware for political reasons –but not all Chinese-named ransomware groups are Chinese
Security experts have observed that the line between financially motivated criminal activities and politically motivated nation-state threat activities grows increasingly blurred. Some cybercrime operations mix state and criminal cyber threat activity; for example, North Korean state-sponsored threat actors launched cryptocurrency heists to “illicitly generate revenue for the country.” Further blurring the lines between states and criminals, the cybercriminal ecosystem is complex and constantly evolving. The Natto Team and others have explored this ecosystem, particularly in relation to ransomware. Various threat actors can be found on online underground discussion forums and marketplaces: cybercriminals who offer an array of specialized services, from pentesters and initial access brokers, to malware developers, to translators, ransom negotiators, and even government relations specialists. A thriving market in hackers-for-hire and ransomware-as-a-service makes it possible for even unskilled people to commission or carry out attacks. Then there are the legitimate cybersecurity companies like i-SOON, whose pentesting services can extend to data theft. Finally, there are the hackers in uniform, the nation-state or APT actors. They, too, haunt the underground forums to observe and to buy. They make use of the tools and services that the cybercriminals have already built up, as well as setting up front companies to hide their own malicious activities.
As the Natto Team continues our “Ransom-War” series, which digs into Russian ransomware actors and their delicate and complicated links with the Russian state, we also take the opportunity to explore ransomware activities conducted by Chinese threat groups and look into the motivation, intents, goals and techniques of these ransomware activities and how these activities fit into the overall ransomware world.
Notable Ransomware Activities Linked to Chinese Threat Groups
Examining cases of ransomware activities linked to Chinese threat actors shows an increase in the deployment of ransomware since 2016. The majority of the cases that threat hunters have revealed were politically motivated and conducted by threat actors with some degree of relationship to the Chinese state. (The Spectrum of State Responsibility, which cyber law researcher Jason Healey introduced in 2012, categorizes variations on the criminal/state relationship in hacking operations, ranging from “state-prohibited” to “state-encouraged” to “state-integrated.”) Chinese threat actors use ransomware to cause misattribution, distraction, disruption or even destruction and to provide financial gain, cover for espionage operations and the ability to remove the evidence.
Note: in the following timeline, the year given is the year in which an operation was reported.
2016 Codoso (or C0d0so0): Perpetrators Likely Used Espionage Hack Tactics for Initial Access then Waited to Launch Ransomware Attacks
Codoso (a.k.a APT19, Deep Panda, Red Pegasus, C0d0so0), a threat group likely with links to the Chinese government, has been active since at least 2013. The group is well known for a widely publicized attack involving the compromise of Forbes.com in November 2014. Analysts from Palo Alto Networks’ Unit 42 assessed that Codoso used “sophisticated tactics and tools…leveraging zero-day exploits on numerous occasions in combination with watering hole and spear phishing attacks.” In 2016, four security firms, including Dell Secureworks, Attack Research, InGuardians, and G-C Partners, investigated ransomware attacks targeting US companies and concluded the attacks were “the work of a known advanced threat group from China, although they cannot be positive,” according to a report from Reuters. Researchers from Dell Secureworks discovered the malicious software in the attacks had been associated with Codoso. In one case, Codoso exploited known vulnerabilities and established initial access to the victim’s network in 2013 but did not spread ransomware until three years later. InGuardians discovered similar tactics; threat actors launched suspected cyber espionage campaigns to a victim six months before conducting ransomware attacks.
2019 APT41: Ransomware Attack Attempt in a Dual Espionage and Cyber Crime Operation
In 2019, Security firm Mandiant, now part of Google Cloud, reported on Chinese threat group APT41’s activity, showing that state-sponsored and cybercrime operations occurred simultaneously. APT41 operational times suggested the group conducted cyber espionage activities during typical working hours for tech workers in China, but the late-night to early morning activities were financially motivated operations, particularly targeting the video game industry in East and Southeast Asia. In a highly unusual case, a Mandiant researcher discovered that APT41 attempted to extort a game company by deploying the Encryptor RaaS ransomware. This was likely because APT41 tried and failed to monetize a particular game via in-game currency, so the group used “ransomware to attempt to salvage their effort and profit from the compromise,” the Mandiant report assessed. A Ransomware-as-a-Service (RaaS) operation sold the Encryptor ransomware in darknet sites. APT 41 likely used pay-for-service ransomware for convenience. However, the malware was unsuccessfully deployed because of a simple typographical error.
If this time APT 41’s ransomware attack attempt was financially motivated by state hackers moonlighting in their off hours, the following case of APT41-affiliated Winnti Group targeting Taiwan entities was most likely politically motivated.
2020 Winnti Group: Destructive Ransomware Attacks Targeting Taiwan Entities
In May 2020 Taiwan-CERT reported that several Taiwan-based petrochemical companies and one semiconductor manufacturing plant fell victim to targeted ransomware attacks that halted operations and required the companies to isolate the affected networks and restore backup files. The Taiwan Investigation Bureau attributed the ransomware attack to the China-based Winnti group. Security company Trend Micro analyzed the ransomware family and indicated the attack was potentially destructive, as the ransomware appeared to target databases and email servers for encryption.
This was the first major destructive attack using ransomware by a Chinese state-sponsored group in recent years. Chinese cyberthreat actors often use Taiwan as a test ground because of the common language and the Chinese perception that Taiwan is rightfully part of China and that world powers will not retaliate against China for aggression against a diplomatically isolated Taiwan.
The Natto Team noted that under the umbrella of the Winnti Group, the overlaps and links with other threat groups with Chinese origins are often confusing and complex. Security analysts such as Tom Hegel have tried to disentangle the “burning umbrella” of the Winnti Group. In a report written in 2018, Hegel and his team discovered that Winnti umbrella’s overarching entity consisted of multiple teams and actors whose tactics, techniques, and procedures align, and whose infrastructure and operations overlapped. They assessed that the separate teams or actors of the Winnti umbrella operated at different stages of associated attacks; however, the lines between them were blurred and they were all associated with the same greater entity. Researchers have ascribed a wide variety of activity clusters to the “Winnti Group.” MITRE ATT&CK threat group profiles, for example, describe the Winnti Group as closely linked to Axiom, APT17 and Ke3chang. In contrast, “Threat Group Cards: A Threat Actor Encyclopedia,” a database maintained by the Electronic Transactions Development Agency of Thailand, has indicated that Winnti Group overlaps with APT41, BARIUM and Wicked Panda in public reporting on these groups.
2022 DEV-0401 (BRONZE STARLIGHT): Used Ransomware as a Smokescreen to Cover Espionage Activities
In January 2022, Microsoft reported China-based ransomware operator DEV-0401, has deployed multiple ransomware attacks and exploited vulnerabilities in Internet-facing systems running Confluence and on-premises Exchange servers. In one campaign, DEV-0401 exploited a vulnerability targeting Internet-facing servers running vulnerable instances of VMware Horizon. After successful intrusions, the actor deployed the NightSky ransomware. Researchers from SecureWorks also tracked DEV-0401 as BRONZE STARLIGHT. They discovered that the short lifespan of each ransomware family deployed in the attacks by the actor suggested the actor used ransomware as a smokescreen to cover its cyber espionage or intellectual property theft activities. In April 2022, DEV-0401 began using Lockbit 2.0 malware, according to Microsoft. The LockBit Ransomware-as-a-Service enterprise is Russia-based but multinational. At the same time, in June 2022 Dell Secureworks noted that DEV-0401 also has technical overlaps with APT10 (aka BRONZE RIVERSIDE), a group associated with the Chinese Ministry of State Security.
Ironically, Lockbit affiliates would go on to attack Chinese state-owned bank ICBC (Industrial and Commercial Bank of China) on November 8 2023 and Chinese state media outlet China Daily HK in May 2023 . Apparently, the administrators of Russia-based LockBit welcomed a Chinese-speaking affiliate in 2022 but by 2023 were allowing other affiliates to attack Chinese entities. Will Thomas of Equinix hypothesizes: “has Russia lost control over their ransomware groups? Or was this a state-directed attack on China in retaliation for the numerous cyber-espionage campaigns targeting Russian government entities?”
2023 BRONZE STARLIGHT (SLIME34): Politically Motivated Targeting of the Southeast Asian Gambling Industry
In August 2023, SentinelOne, a US cybersecurity company, “identified suspected-Chinese malware and infrastructure potentially involved in China-associated operations directed at the gambling sector in Southeast Asia.” Analysts from SentinelOne indicated that the threat group involved was “unclear due to the interconnected relationships among various Chinese APT groups.” However, the targeting, choice of malware, and command and control (C2) infrastructure resembled those of China-aligned BRONZE STARLIGHT group (a.k.a DEV-0401 or SLIME34)’s reported past activities. Although analysts defined BRONZE STARLIGHT as a “suspected Chinese ‘ransomware’ group, the main goal of the group “appears to be espionage rather than financial gain, using ransomware as means for distraction or misattribution.” Previously, in a presentation at Blackhat Asia 2022, analysts from Team T5, a Taiwan-based cybersecurity company, also reported on SLIME34 (BRONZE STARLIGHT)’s politically motivated involvement in targeting the Southeast Asian gambling industry. Team T5 discovered that, during the second half of 2021 to the first half of 2022, SLIME34 also targeted the manufacturing, financial services, engineering, legal, business services, and travel and tourism sectors with ransomware.
2024 Palau Government Pointed to China for a Ransomware Attack
On March 14, 2024, a ransomware attack encrypted a government financial management information system in the Pacific island nation of Palau. The system mostly contains public data, such as names, phone numbers and Palauan Social Security Number. The cybersecurity team of the Palau government discovered that links on the ransom notes to communicate with the threat actors were dead links and no sensitive data was stolen. The officials of the Palau government quickly determined the ransomware attack was not for financial gain but politically motivated.
The attack occurred on the very day that Palau had a ceremony to commemorate the Compact of Free Association (COFA) – a longstanding agreement that codifies the country’s relationship with the US.
Palau, a strategically crucial Pacific Island state, has had longstanding issues with China since it recognized Taiwan in December 1999. Both the above-mentioned Russia-based LockBit group and a ransomware group calling itself DragonForce left ransom notes in the compromised Palau government systems, and DragonForce added Palau to its name-and-shame leak site. It is unclear whether the DragonForce ransomware group has any connection with a Malaysia-based hacktivist group by the same name. DragonForce has used leaked builders from Russia-origin ransomware families LockBit 3.0 and Conti, according to researchers at Singapore-based Group-IB. The officials of Palau blamed China for orchestrating the attack. As of this writing, the Natto Team has not seen any technical analysis or other evidentiary reporting related to this attack.
2024 ChamelGang: Ransomware Attacks for Various Purposes
In June 2024, SentinelOne reported ChamelGang (a.k.a CamoFei), a suspected Chinese APT group, targeted the All India Institute of Medical Sciences (AIIMS), a major Indian healthcare institution and the Presidency of Brazil in 2022 using the CatB ransomware. ChamelGang also targeted 37 organizations from early 2021 to mid-2023 by abusing legitimate data protection tools, including Jetico BestCrypt and Microsoft BitLocker to encrypt endpoints as a means to demand ransom. Researchers from SentinelOne assessed that ChamelGang’s deployment of ransomware and encryptors in various campaigns was “for the purposes of financial gain, disruption, distraction, misattribution, or removal of evidence.”
Non-Chinese Ransomware Groups with Chinese Names
Except for the mysterious links between Bronze Starlight and Russia-based group Lockbit, the above mentioned Chinese threat groups’ ransomware operations are quite distinct different from ransomware groups affiliated with Russian cybercriminals which the Natto Team discussed extensively in the Ransom-War series. These Chinese threat groups are state-sponsored groups and use ransomware mainly as means to advance the country’s strategic goals.
However, we have observed some Russian ransomware groups that have Chinese-sounding names but are not Chinese. This can obscure attribution. It also suggests a fascination with Asian culture. (Some Russian cybercriminals also borrow from Japanese manga and anime culture in their usernames and profile pictures).
Ransomware groups using Chinese names likely are inspired by Chinese mythology, Chinese art culture or Chinese characters in video games. Whether or not this is a result of the Chinese government’s promotion of Chinese culture globally to exert influence as a tool of soft power, ransomware groups show interest in Chinese culture through their choice of names. Alternatively, ransomware groups may want to disguise themselves as groups from China. That’s possible, but they are not always successful. The following are a few examples.
Qiulong Ransomware Group
Qiulong, in Chinese 虬龙, is a horned dragon in Chinese mythology.
The Qiulong ransomware group is a relatively new group that emerged in 2024. Qiulong has targeted organizations in Latin America, particularly in Brazil. One Qiulong tactic, according to Sophos, a British security company, is weaponize stolen data to increase pressure on targets who refuse to pay. Intensifying the old “double-extortion” tactic of threatening to leak data, the Qiulong group regularly includes the details of CEOs and business owners on its leak site, often accompanied by insults, personal information, and accusations of negligence.
Qilin Ransomware Group
Qilin, in Chinese 麒麟, is a Chinese unicorn, but also looks like a dragon in Chinese mythology.
Qilin (a.k.a Agenda) is a ransomware-as-a-service criminal operation that works with affiliates, encrypting and exfiltrating the data of hacked organizations and then demanding a ransom be paid. Qilin is known as a Russian-speaking cybercriminal group targeting health care and other industries worldwide. The previous Natto Thoughts post discussed the massive Qilin attack that crippled the UK’s National Health Service.
Yanluowang Ransomware Group
Yanluowang [also transliterated Yangluowang], in Chinese 阎罗王, is the god of death and the underworld judge in Chinese mythology.
Much of our information on the ransomware group comes from allegedly leaked chat logs that appeared online in October 2022. The Yanluowang ransomware group is likely a Russian cybercriminal group. Yanluowang refrains from targeting the critical infrastructure of former Soviet countries, and the participants in the leaked chat logs write in Russian. One of the group’s developers, nicknamed Killanas, was doxed online by a user nicknamed Xander2727; Xander2727 claims Killanas’ real initials are AVS and that he is a network administrator at Russia’s Defense Ministry. A supposed photo of Killanas shows him wearing what appears to be a military uniform.
According to an analysis of the allegedly leaked chat logs by Jambul Tologonov of Trellix, Killanas used a cryptocurrency wallet possibly linked with wallets used by the Conti group, which worked with Russian intelligence agencies (see Natto Thoughts analysis here). As the Natto Team pointed out in a previous report, sometimes it seems as if “all roads lead to Conti.” Indeed, according to Tologonov, the Yanluowang group collaborates with Russian groups Babuk, HelloKitty, and Conti. For example, the group used a ransomware strain called PayloadBIN. The name “PayloadBIN” has been associated with both the Babuk group – which the Natto Team discussed in the posting “Wazawaka & Co. Patriotic Hacker” – and with the group Evil Corp – whose ties with Russian intelligence the Natto Team has explored in the posting “Ransom-War In Real Time, Case Study 1: Conti, EvilCorp and Cozy Bear.”
The allegedly leaked chats also suggest complex relationships with Russian ransomware actors and Russian policies. The main Yanluowang actor, @saint, thought of posting “We stand with Ukraine” on the group’s negotiation page. As Trellix’s Tologonov pointed out, they may have done this “to increase their chances of ransom being paid, however they were concerned it would blow up their Chinese actor cover story, so they decided to drop the idea.”
According to DarkTrace, @saint claimed he was a former classmate of five people whom Russia arrested in January 2022 for suspected REvil ransomware activity. The Natto Team discussed those arrests in the “Ransom-War” series, Part 4a and Part 4b. A Russian investigative periodical profiled the REvil suspects and found that five of them had studied together at an elite high school, the English-Spanish Gimnazia No 205 in Saint Petersburg. Russian media identified one of that group, Daniil Puzyrevskiy, as the suspected perpetrator of the devastating May 2021 attack using Darkside ransomware that crippled Colonial Pipeline. A top US official acknowledged on January 14 2022 that the arrestees included “the individual responsible for the attack against Colonial Pipeline” but did not specify whether it was Puzyrevskiy or someone else. If Yanluowang figure @saint was telling the truth, that would imply personal connections with the operators of REvil and/or Darkside ransomware.
Bianlian Ransomware Group
Bianlian, in Chinese 变脸, refers to face-changing, an ancient Chinese dramatic art in Sichuan opera. Performers wear vividly colored masks, typically depicting well known characters from the opera, which they change from one face to another almost instantaneously with the swipe of a fan, a movement of the head, or wave of the hand.
The Bianlian ransomware group likely chose this name as a nod to their own face-changing behavior. Like its namesake, the Bianian threat group began as a banking Trojan but has moved into ransomwre. BianLian acts as a ransomware developer, deployer, and data extortion cybercriminal group. According to a cybersecurity advisory from US Cybersecurity & Infrastructure Security Agency and the FBI, the BianLian group “has targeted organizations in multiple U.S. critical infrastructure sectors since June 2022.” In Australia, the Australian Cyber Security Centre (ACSC) has observed the BianLian group predominantly targeting private enterprises, including one critical infrastructure organization. BianLian group originally employed a double-extortion model in which they exfiltrated financial, client, business, technical, and personal files for leverage and encrypted victims’ systems. In 2023, FBI observed BianLian shift to primarily exfiltration-based extortion with victims’ systems left intact, and ACSC observed BianLian shift exclusively to exfiltration-based extortion. BianLian actors warn of financial, business, and legal ramifications if payment is not made. As Analyst1 reported, Bianlian actors worked with Russia-based ransomware groups RansomHouse, Dark Angels, Alphv/ BlackCat, LockBit 3.0, and RagnarLocker. In addition, Bianlian works with Snatch and Stormous, which engage in “hybrid ransomware/hacktivist activities that blend ransomware with influence operations under the guise of hacktivism” and “are likely aligned with Russia.” Analyst1 thus asserts that Bianlian is part of a “well-coordinated army of digital soldiers, united by common goals beyond mere financial gain.” The choice of a Chinese name may indicate an attempt to frame China for these attacks, as China has often targeted Australia.