Ransomware Q2 & Q3 Report is live now!

43 APT Groups Use Ransomware to Attack Their Targets

Posted on May 30, 2022 | By Supriya Aluri

CSW’s quarterly report on ransomware metrics reveals that three new APT groups are using ransomware to mount attacks on their targets, bringing the total number of APT groups using ransomware to 43.

 

CSW’s quarterly report recently recorded a 7.6% spike in vulnerabilities tied to ransomware, increasing the total number of vulnerabilities from 288 to 310. Quarter 1 of 2022 also saw an increase in the number of APT groups from 40 to 43. In this blog, we will explore in detail the threat posed by APT groups and how using ransomware as their arsenal makes them the most dangerous adversary for critical organizations around the world.

Active APT Groups Operating from Specific Regions

 

New APT Groups Using Ransomware

The newly identified APT groups that started using ransomware to target their victims in Q1 2022 are DEV-0401 (China), APT 35 (Iran), and Exotic Lily.

 

APT 35

APT 35 is an Iranian government-sponsored threat actor group. The group is known for targeting Middle Eastern countries, the United States, and industries such as finance, medical research, energy, chemical, and telecommunications to collect strategic intelligence.

 APT 35

Vulnerabilities Used

CVE-2021-44228 (Apache Log4j) + 15 other vulnerabilities

Ransomware Deployed

Memento

Payloads Used

CharmPower backdoor

Other Malware Deployed

MANGOPUNCH, DRUBOT, ASPXSHELLSV, PUPYRAT, TUNNA, BROKEYOLK, and HOUSEBLEND

Operative Since

2013

Aliases

Ajax Security Team, NewsBeef, Phosphorus, TA453, and Newscaster 

Previous Attacks

APT 35 deployed credentials-stealing malware in oncology, genetic, and neurology research organizations in the United States and Israel, targeting senior medical professionals and their research information. Spear phishing and custom malware are among an array of tactics the group uses against victims. The group also tried to disrupt election campaigns in the 2020 US presidential elections by deploying spear phishing messages to campaign officials although it did not cause much damage. APT-35 is known to conduct mass exploitation attacks, recently using the Microsoft Exchange Server vulnerability on their target networks.

 

Exotic Lily

The Exotic Lily APT group uses CVE-2021-40444 to target its victims and is tied to Conti ransomware. This group acts as an Internet Access Broker (IAB), i.e., steals credentials from organizations and sells them to the highest bidder. It was discovered by Google Threat-Analysis Group. So far, the techniques they’ve used involving email campaigns and file sharing software.

Exotic Lily

Vulnerabilities Used

Microsoft Windows MSHTML platform (CVE-2021-40444

Ransomware Deployed

Conti and Diavol

Payloads Used 

BazarBackdoor payloads and Bumblebee 

Associated APT Groups

Wizard Spider

Operative Since

September 2021

Previous Attacks

Exotic Lily first started exploiting the Microsoft MSHTML zero day (CVE-2021-40444) in September 2021. The group then began to actively impersonate employees from companies and delivered payloads containing malware to steal various system details such as the OS versions, user names, and domain names, which are then exfiltrated in the JSON format to a C2. The group has been targeting specific industries such as IT, cybersecurity, and health care till now. 

 

DEV-0401

DEV-0401, a China-based ransomware attack group, also actively exploited the Log4j vulnerability (CVE-2021-44228) and installed the Night Sky ransomware to extort data from vulnerable servers on the internet. 

DEV-0401

Vulnerabilities Used

CVE-2021-26084

CVE-2021-34473

CVE-2021-44228 

Ransomware Deployed

Night Sky, LockFile, AtomSilo, Rook, and Khonsari

Operative Since

Dec 2021

Previous Attacks

DEV-0401 has previously deployed multiple ransomware families, including LockFile, AtomSilo, and Rook, and has similarly exploited internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473). The group has used command and control (CnC) servers that spoof legitimate domains. 

 

Although a few of the APT groups are state sponsored, they have not shied away from targeting other organizations in the private sector. Nowadays, the APT groups have become more organized, even adopting 9–5 job operations, providing employee benefits, and exploiting multiple vulnerabilities. Organizations, private or public, need to be vigilant and deploy adequate measures to ensure that these groups do not take advantage of them.

 

We have analyzed the latest vulnerabilities, threats, and techniques used by the ransomware groups and compiled a detailed ransomware report. CSW offers Ransomware Attack Surface Assessment to detect vulnerabilities open to ransomware attacks. You can also check out our other services and reach out to us if you want to build a strong defense of your network architecture.

Never miss a patch or an update with CSW’s Patch Watch Newsletter. Subscribe now!

csw

Secure your environment from cyber-attacks!

Know How

incognito