Ransomware is a type of malware that blackmails users for ransom by blocking access to devices or data. In general ransomware can be categorized as locker-ransomware and crypto-ransomware. More specifically, locker-ransomware blocks users’ interactions with the device by resetting the PIN code or popping up a full-screen window. The window covers the screen, which makes it impossible for users to interact with the device. The window may disappear only after the victims pay for the password and input it, as promised. Crypto-ransomware encrypts users’ data and demands payment for the decryption. Locker-ransomware and crypto-ransomware occasionally appear together. It should be noted, however, paying the ransom does not guarantee that users can get the password and regain access to the devices.
Most ransomware attackers are driven by profit. To instigate users to pay the ransom without hesitation and suspicion, the attackers turn to psychological tactics. They often equip the ransomware with humiliating messages and pornographic images. Their tricky use of both technology and psychology make ransomware a severe problem to the public, which requires to be urgently addressed. Ransomware is arguably the most disruptive cyber-dependent crime to date. It not only causes considerable economic loss globally but it also threatens public services and security such as critical infrastructure including public transport and healthcare facilities. In recent years, an increasing amount of locker-ransomware has been posing a great threat to the Android platform as well as users’ properties. Locker-ransomware blackmails victims for ransom by compulsorily locking the devices. What is worse, a mature locker-ransomware transaction chain has taken shape on Chinese social networks. The effective detection of locker-ransomware is an emergent yet crucial issue.
Examining cases of ransomware activities linked to Chinese threat actors shows an increase in the deployment of ransomware since 2016. The majority of the cases that threat hunters have revealed were politically motivated and conducted by threat actors with some degree of relationship to the Chinese state. The Spectrum of State Responsibility, which cyber law researcher Jason Healey introduced in 2012, categorizes variations on the criminal/state relationship in hacking operations, ranging from “state-prohibited” to “state-encouraged” to “state-integrated.” Chinese threat actors use ransomware to cause misattribution, distraction, disruption or even destruction and to provide financial gain, cover for espionage operations and the ability to remove the evidence. A chronological timeline is prepared to understand the nuances of Chinese ransomware attacks (the year given is the year in which an operation was reported):
In May 2020 Taiwan-CERT reported that several Taiwan-based petrochemical companies and one semiconductor manufacturing plant fell victim to targeted ransomware attacks that halted operations and required the companies to isolate the affected networks and restore backup files. The Taiwan Investigation Bureau attributed the ransomware attack to the China-based Winnti group. Security company Trend Micro analysed the ransomware family and indicated the attack was potentially destructive, as the ransomware appeared to target databases and email servers for encryption. This was the first major destructive attack using ransomware by a Chinese state-sponsored group in recent years. Chinese cyberthreat actors often use Taiwan as a test ground because of the common language and the Chinese perception that Taiwan is rightfully part of China and that world powers will not retaliate against China for aggression against a diplomatically isolated Taiwan.
On March 14, 2024, a ransomware attack encrypted a government financial management information system in the Pacific Island nation of Palau. The system mostly contains public data, such as names, phone numbers and Palauan Social Security Number. The cybersecurity team of the Palau government discovered that links on the ransom notes to communicate with the threat actors were dead links and no sensitive data was stolen. The officials of the Palau government quickly determined the ransomware attack was not for financial gain but politically motivated. The attack occurred on the very day that Palau had a ceremony to commemorate the Compact of Free Association (COFA) – a longstanding agreement that codifies the country’s relationship with the US. Palau, a strategically crucial Pacific Island state, has had longstanding issues with China since it recognized Taiwan in December 1999. Both the Russia-based LockBit group and a ransomware group calling itself DragonForce left ransom notes in the compromised Palau government systems, and DragonForce added Palau to its name-and-shame leak site. The officials of Palau blamed China for orchestrating the attack.
In June 2024, SentinelOne reported ChamelGang (a.k.a CamoFei), a suspected Chinese APT group, targeted the All India Institute of Medical Sciences (AIIMS), a major Indian healthcare institution and the Presidency of Brazil in 2022 using the CatB ransomware. ChamelGang also targeted 37 organizations from early 2021 to mid-2023 by abusing legitimate data protection tools, including Jetico BestCrypt and Microsoft BitLocker to encrypt endpoints as a means to demand ransom. Researchers from SentinelOne assessed that ChamelGang’s deployment of ransomware and encryptors in various campaigns was “for the purposes of financial gain, disruption, distraction, misattribution, or removal of evidence.”
These Chinese threat groups are state-sponsored groups and use ransomware mainly as means to advance the country’s strategic goals. However, it is observed some Russian ransomware groups that have Chinese-sounding names but are not Chinese. This can obscure attribution. It also suggests a fascination with Asian culture. (Some Russian cybercriminals also borrow from Japanese manga and anime culture in their usernames and profile pictures). Ransomware groups using Chinese names likely are inspired by Chinese mythology, Chinese art culture or Chinese characters in video games. Whether or not this is a result of the Chinese government’s promotion of Chinese culture globally to exert influence as a tool of soft power, ransomware groups show interest in Chinese culture through their choice of names. Alternatively, ransomware groups may want to disguise themselves as groups from China. That’s possible, but they are not always successful.
Ransomware stands out as a particularly malicious type of cyberattack, wielding the potential to inflict severe financial, operational, and reputational harm. The insidious nature of ransomware, with their ability to encrypt or exfiltrate sensitive data, demands a paradigm shift in cybersecurity strategies. Further, the ability to predict and forecast such malware is paramount for bolstering overall cybersecurity resilience. Extrapolating from the current growth rates in fragile world regions, there is thus a significant risk that ransomware will aggravate existing distributional conflicts. It may also provide a means of circumventing international sanctions. Ransomware operations could also threaten peace at the interstate level because of misperceptions and unwanted escalation, especially given the current geopolitical climate. Thus, these evolving Chinese ransomware attacks are disruptive and pose a significant threat to the global cyberspace ecosystem. It is penitent for democracies across the world to unite against in curbing these incessant Chinese threats.