The Cheerscrypt ransomware has been linked to a Chinese hacking group named 'Emperor Dragonfly,' known to frequently switch between ransomware families to evade attribution.
The ransomware gang is tracked under different names, such as Bronze Starlight (Secureworks) and DEV-0401 (Microsoft), and has been seen using a wide variety of ransomware families since 2021.
While the hacking group appears to operate as a ransomware operation, previous research indicates that many of their victims are targets of interest for the Chinese government.
This has led researchers to believe that the ransomware activities of the hacking group could be a cover for Chinese government-sponsored cyber espionage campaigns.
Night Sky and Cheerscrypt
During an incident response earlier this year, Sygnia's security experts determined that the hackers exploited the Apache 'Log4Shell' Log4j vulnerability (CVE-2021-44228) to execute PowerShell commands, which initiates a DLL-sideloading technique characteristic of Night Sky TTPs.
Next, the intruders dropped a Cobalt Strike beacon connected to a C2 address previously associated with Night Sky operations.
The attackers deployed three Go tools rarely seen in the ransomware space: a modified Aliyun OSS keylogger, a customized version of the 'IOX' port-forwarding and proxy tool, and a customized version of the 'NPS' tunneling tool.
After reconnaissance and lateral movement, following in the footsteps of past Night Sky attacks, the ransomware strain deployed was not Night Sky but Cheerscrypt, encrypting Windows and Linux ESXi machines.
Overlap between the two ransomware strains (Sygnia)
Trend Micro first spotted the 'Cheers' ransomware in May 2022 after the researchers found a ..
Support the originator by clicking the read the rest link below.
