A Chinese espionage group APT27 has moved into more financially-motivated cybercrimes, using ransomware to encrypt core servers at major gaming companies worldwide.

Ransomware incidents found extremely strong links to APT27 in terms of code similarities and tactics, techniques and procedures. Surprise in this incident was the encryption of core servers using BitLocker, a drive encryption tool built into Windows. The approach was unusual, given threat actors typically drop the ransomware to the machines as opposed to using local tools. What solidified their belief that APT27 had moved into financially-motivated cybercrime when an instance that found APT27 had also dropped the Polar ransomware on systems.

Researchers discovered the team first started following APT27 closely in early 2020 when they responded to the ransomware incident. They found malware identified which was linked to a campaign by APT27 and Winnti, known as DRBControl linked to China

The significant use of tooling that has historically been linked to Chinese threat actors suggests it’s realistically possible that APT27 or Winnti could have been responsible for the ransomware actions outline researchers stated. Other nation-state affiliated APTs such as TA505 (Russia) and Lazarus Group (North Korea) have used ransomware in the past.

Major ransomware variants are deployed using commodity malware variants, such as TrickBot and Emotet, it’s often hard to pinpoint attribution to one specific APT. Given the prominence of ransomware across the threat landscape, it’s likely that financially-motivated nation-state threat actors will use ransomware in future attacks.