Security firms investigating recent ransomware attacks on U.S. companies believe that those responsible are using the same tools and APT (advanced persistent threat) techniques previously associated with Chinese state-sponsored intrusions.
An executive of the one of the security firms, Dell SecureWorks, claim that his team was called in on three occasions in the last three months to investigate cases where hackers spread ransomware after exploiting known vulnerabilities in application servers.
Once the hackers had gained access via the server vulnerability, they were able to compromise more than 100 computers in each of the companies by installing a malicious program.
Security firms Attack Research, InGuardians and G-C Partners, have also separately investigated three other similar ransomware attacks since December. Although the companies have no hard evidence, they suspect that all were the work of a known advanced threat group from China. However as is often the case with ransomware, the attacks have not previously been reported and none of the victims agreed to be identified publicly.
The security companies investigating the advanced ransomware intrusions have their own theories, which feed from the possibility that there might be an indirect link with the Chinese government. This is because China has reduced its support for economic espionage, (state sponsored hacking), which it agreed to oppose in an agreement with the United States late last year.
Some U.S. companies have reported a decline in Chinese hacking since the agreement and these recent ransomware attacks could be the work of hackers who have found themselves recently unemployed. Another, option is that the tools used by the Chinese hackers have simply become available on the black-market.
Photo credit: Ton Snoei / Shutterstock