Ransomware will continue to affect companies in the APAC region in 2023

Guy Segal

Vice President Cyber Security Services, Asia-Pacific at Sygnia

In one of the most significant cybercrime discoveries this year, Sygnia’s incident response team has revealed ongoing ransomware attacks by two groups first thought to be separate criminal entities and are part of one large global network based in China. Tactics, Techniques, and Procedures (TTPs) that were being employed during the investigation of an event involving the relatively unheard-of ransomware gang Cheerscrypt were found to be very similar to those of another well-known ransomware group, Night Sky. The fact that Cheerscrypt ransomware was used despite Night Sky indicators of compromise (IOC) being found led Sygnia’s IR team to further investigate Cheerscrypt’s. As a result, Sygnia has become the first to recognize that Cheerscrypt is a ransomware family created by Emperor Dragonfly, similar to Night Sky. 

CIO World Asia spoke with Guy Segal, Vice President Cyber Security Services, Asia-Pacific at Sygnia to find out more about the trends pertaining cyberattacks in Asia.  

Key highlights in Sygnia’s recent incident response report 

Recently, Sygnia looked into a Cheerscrypt ransomware assault that made use of Night Sky ransomware TTPs. Cheerscrypt and Night Sky are both rebrands of the same threat group, known by Sygnia as “Emperor Dragonfly,” according to further analysis.”Emperor Dragonfly” (also known as DEV-0401 / BRONZE STARLIGHT) used open-source software created by Chinese programmers with Chinese users in mind. This supports reports that the developers of the “Emperor Dragonfly” ransomware are in China.  

According to Guy, when it comes to ioTs, techniques and tools used by the threat actor, the evidence showed that it was a Chinese threat actor who introduced themselves as a Ukrainian one. Sygnia believes that it was done to create some sympathy or the threat actor believed that by doing this, they would have a higher chance of getting paid at the end.  Through insights and previous attacks, Sygnia was able to connect the dots quite quickly that they were not Ukrainian attackers. These threat actors are really looking for the low-hanging fruits – where they’re looking for the weakest link that has a misconfiguration or an open vulnerability.  

The threat actors exfiltrated sensitive data to Mega, a cloud storage service, in the course of the attack using the open-source command-line program Rclone. Soon later, the cyber actors released the Cheerscrypt ransomware as the last payload. Even though Cheerscrypt is typically referred to as a Linux-based ransomware family that targets ESXi servers, Sygnia’s investigation revealed that both Windows and ESXi machines were affected. 

How will the issue of ransomware continue to affect companies in the APAC region in 2023 

We should expect that the trend of ransomware will become more and more complex in the Asia Pacific especially after the countless incidents we’ve seen in 2022.  Not all attacks are ransomware; some are ransom requests to publish company data. According to Guy, companies should be prepared to expect more of these ransom requests in every sector – from highly professional and top-notch attacking groups, all the way to basic capability groups that are trying to find the right opportunity for them to use.  

Companies should not only take preventive measures, but they should also be ready to deal with such incidents. The prevention starts with understanding who your attackers are and what your attack surface looks like. You should understand how resilient your infrastructure is and if threat actors can ever do a successful penetration.  

Equivalent to an MRI, Guy suggests that organisations should start by identifying their weaknesses, opportunities and create a roadmap that enhances their cybersecurity posture. Organisations must have a flexible plan that can be dynamically altered as necessary in response to the particular threat or corporate requirements. In order to know who to call when they are in danger, organisations should also receive assistance with the appropriate legal initial reaction retainers in advance. It’s important to plan ahead rather than simply relying on these services when you’re in need.