In a recent investigation, the Sygnia security firm found Linux-based ransomware, Cheerscrypt. This ransomware was found using the TTPs of Night Sky ransomware.
There is a common threat group called Emperor Dragonfly (A.K.A. DEV-0401/BRONZE STARLIGHT) that is behind both Cheerscrypt and Night Sky.
There were several open-source tools deployed by Emperor Dragonfly. In order to provide Chinese users with these tools, Chinese developers wrote them from scratch in Chinese.
It confirms the claims which have been made that the original operators of the ‘Emperor Dragonfly’ ransomware are from China.
In addition to encrypting files on Windows-based systems, Cheerscrypt ransomware also targets the ESXi applications.
Link between Cheerscrypt & Night Sky
It is extremely evident that the TTPs that were used in this attack have a great deal in common with the ones used by Night Sky.
A primary focus of Cheerscrypt’s work is on the encryption of ESXi servers and the final payload. There was already some information available that indicated that Night Sky was linked to another threat group, but Cheerscrypt had yet to be identified.
According to the report, Cheerscrypt’s operators present themselves as pro-Ukrainian, which provided the only clue to their true identity. This is indicated by the phrase “Слава Україні!”, which means “Glory to Ukraine!” and their dark web leak site which displays a Ukrainian flag.
The attack kill-chain is segmented into four phases, and here they are:-
- Initial access
- Establishing foothold within the network
- Lateral movement
- Data exfiltration and ransomware execution.
It is often difficult to identify two ransomware strains as part of the same threat actor in the world of ransomware affiliates and leaked source code for ransomware.
Listed below are some detection tips that may assist you in searching for Emperor Dragonfly’s traces in the organization network:-
- Search for binaries, scripts, and executions from suspicious folders.
- Search for evidence of SMBExec executions.
- Search for evidence of WMIExec executions.
- Monitor users’ authentications, and activity from unusual sources.
To defend against the Emperor Dragonfly’s TTPs, the following measures can be implemented:-
- Identify and patch critical vulnerabilities.
- Limit outbound internet access from servers.
- Protect the virtualization platform.
- Limit lateral movement through the network.
- Protect privileged accounts.
Cyber Attack with Zero Trust Networking – Download Free E-Book