The Cheerscrypt ransomware has been linked to a Chinese hacking group named ‘Emperor Dragonfly,’ known to frequently switch between ransomware families to evade attribution.
The ransomware gang is tracked under different names, such as Bronze Starlight (Secureworks) and DEV-0401 (Microsoft), and has been seen using a wide variety of ransomware families since 2021.
While the hacking group appears to operate as a ransomware operation, previous research indicates that many of their victims are targets of interest for the Chinese government.
This has led researchers to believe that the ransomware activities of the hacking group could be a cover for Chinese government-sponsored cyber espionage campaigns.
Night Sky and Cheerscrypt
During an incident response earlier this year, Sygnia’s security experts determined that the hackers exploited the Apache ‘Log4Shell‘ Log4j vulnerability (CVE-2021-44228) to execute PowerShell commands, which initiates a DLL-sideloading technique characteristic of Night Sky TTPs.
Next, the intruders dropped a Cobalt Strike beacon connected to a C2 address previously associated with Night Sky operations.
The attackers deployed three Go tools rarely seen in the ransomware space: a modified Aliyun OSS keylogger, a customized version of the ‘IOX’ port-forwarding and proxy tool, and a customized version of the ‘NPS’ tunneling tool.
After reconnaissance and lateral movement, following in the footsteps of past Night Sky attacks, the ransomware strain deployed was not Night Sky but Cheerscrypt, encrypting Windows and Linux ESXi machines.
Like other enterprise-targeting ransomware groups, the hackers breach networks, steal data, and encrypt devices. The data is then used in double-extortion tactics to pressure a victim into paying a ransom. If a ransom is not paid, the stolen data is published on a data leak site, shown below.
Frequently switching ransomware strains
According to Sygnia, Cheerscrypt is yet another one of Emperor Dragonfly’s continual payload rebranding efforts, attempting to evade attribution.
The ransomware group isn’t operating as a RaaS (Ransomware-as-a-Service) platform for affiliates but rather as a “lone wolf” isolated from the rest of the cybercrime community.
A June 2022 report by Secureworks hypothesized that the particular threat actor uses ransomware families like Night Sky, Rook, Pandora, and AtomSilo to mask government-sponsored cyberespionage campaigns as financially-motivated attacks.
That same month, Microsoft updated an article on ransomware operations to include the hacking group, who they track as DEV-0401, and attributed them to Chinese threat actors.
“Differing from the other RaaS developers, affiliates, and access brokers profiled here, DEV-0401 appears to be an activity group involved in all stages of their attack lifecycle, from initial access to ransomware development,” explained the Microsoft threat intelligence researchers.
“Despite this, they seem to take some inspiration from successful RaaS operations with the frequent rebranding of their ransomware payloads.”
Like Secureworks, Microsoft also found them constantly switching between ransomware brands, including additional strains, such as LockFile and LockBit 2.0.
Night Sky, Pandora, and Rook were all derived from leaked Babuk source code and share numerous similarities in their code. In addition, trend Micro previously stated that Cheerscrypt also seems to use Babuk as its basis, so the pieces fit.
No matter what the real goal of ‘Emperor Dragonfly’ is, as the group commonly targets vulnerabilities in Internet-exposed servers, it is essential to apply security updates to your devices as soon as possible.
As the group is known to target the Log4j vulnerability in VMware Horizon servers, applying patches to these devices should be a priority for all organizations.