Security firms are reporting that some of the United States ransomware attacks conducted over the past few months have demonstrated a level of sophistication that suggest they are the work of hacking groups previously backed by the Chinese government.

Ransomware attacks have previously been associated with low level cybercriminals who use spam email to send millions of messages out to random targets in the hope that some individuals will install the malicious file-locking software. In many cases, ransomware-as-a-service is being offered to cybercriminals via darknet marketplaces. Cybercriminals therefore do not need to have an extensive knowledge of hacking, and do not need to be highly skilled at conducting intrusions. However, due to the fact that ransomware can be incredibly lucrative, attacks are now being conducted by a wide range of individuals, including skilled hackers.

United States Ransomware Attacks Appear to Have Been Conducted by Former Chinese Government-Backed Hacking Groups

In some cases, the tactics used in the attacks bear the hallmarks of hacking groups known to have previously been involved in state-sponsored attacks on U.S. companies. The ransomware may not have been developed by foreign-government-backed hackers, but the methods and software used to gain entry to company networks and move around certainly appears to be.

Security firms Dell SecureWorks, InGuardians, G-C Partners, and Attack Research have all been called upon to investigate United States Ransomware attacks recently. The Dell team have investigated three highly sophisticated attacks, and the other companies have similarly been called upon to investigate security breaches involving ransomware.

All of the companies have come to the conclusion that these attacks were not the work of run-of-the-mill cybercriminals, and believe a well-known Chinese hacking group was behind the attacks. In one case, an attack on a U.S. company resulted in over 100 computers being locked with the file-encrypting software. Another attack involved 30 computers being locked. Similar large-scale ransomware attacks have also been investigated by the security firms. These attacks, like many conducted on large U.S. companies, have not previously been reported.

APT Tactics Used in Ransomware Attacks

Some of the attacks took advantage of security vulnerabilities in application servers, other used login credentials that were obtained in past Advanced Persistent Threat (APT) attacks on U.S companies. Rather than APT attacks taking place for espionage, the same methods appear to be used to gain access to networks in order to install ransomware.

None of the security firms are able to say with 100% certainty that the attacks were conducted by Chinese hacking groups, although it does appear to be the most logical answer. One theory put forward is that with China now pulling out of cyber-espionage after last year’s agreement with the U.S government, many Chinese hackers who were previously funded by the government are now out of work or are looking for additional income. Since the potential payoff from ransomware attacks is so high, they are now performing attacks on their own.

In some cases, where U.S companies have been compromised by government-sponsored attacks, it has been hypothesized that the hackers are cashing in as they pull out.

Even if Chinese hacking groups are not involved, it is clear is there is considerable money to be made by performing these attacks. Cybercriminal gangs who have previously targeted credit card numbers may now be switching to ransomware due to big potential payoffs.

Since most companies do not declare that they have suffered an attack and paid a ransom, it is difficult to tell exactly how bad the current situation is. But until ransomware ceases to be profitable, United States ransomware attacks are likely to continue.