Security

Ex-Chinese State Hackers ‘Turning To Ransomware’

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Google + Linkedin Subscribe to our newsletter Write a comment

Hackers who once worked for the Chinese government may now be carrying out ransomware attacks, finds a report

Hackers who previously carried out attacks on behalf of the Chinese Government may now be behind a number of recent incidents involving ransomware, according to security researchers.

Four IT security firms have investigated about half a dozen ransomware incidents in the past three months in which the advanced techniques and attack tools used bore a close similarity to those previously employed by a group called Codoso, thought to have been working on behalf of the Chinese state, according to Reuters.

Advanced techniques

ransomware

Dell SecureWorks cited three cases in the past three months in which companies were targeted using advanced penetration techniques involving known vulnerabilities in application servers and went on to install ransomware on large numbers of company computers, according to the report.

In one attack more than 100 systems were compromised, while an IT firm reportedly saw 30 percent of its computers affected. A transportation company was also affected, the report said.

Attack Research, G-C Partners and InGuardians said they had investigated three similar cases during the same period. The companies suspect Codoso in about half a dozen recent incidents affecting US companies, none of which have previously been made public, Reuters said.

The companies said the intrusion techniques, methods of navigating companies’ internal networks and the penetration software used were all similar to those used previously by Codoso.

Unemployed hackers

The security firms noted that China agreed with the US late last year to reduce its support for economic espionage, and speculated that hackers once employed by the state are turning to ransomware attacks as a new source of funds.

Codoso has previously been linked to espionage attacks on Apple’s iCloud and attacks on US military and financial services. The group is thought to have been in existence since at least 2010.

The IT security companies said they couldn’t be sure of the link and had no proof. China’s foreign ministry on Tuesday called the allegations “rumours and speculation”.

Researchers at security firm Trend Micro said last week that there were more ransomware-related infections found in February of this year as the first six months of 2015 in total. The figures also showed that there were more than twice as many infections last month than in the entire first three months of 2015, and that the combination of January and February 2016’s tally is already more than triple the infection count for the first three months of last year.

Security firms have said that payoffs from ransomware attacks are increasing, which may be luring criminals into the area from other types of financial fraud such as credit card theft.

The attacks involve infecting a system with code that encrypts the user’s files and demanding payment in order to restore the files.

Are you a security pro? Try our quiz!