43 APT Groups Use Ransomware to Attack Their Targets

Securin’s quarterly report on ransomware metrics reveals that three new APT groups are using ransomware to mount attacks on their targets, bringing the total number of APT groups using ransomware to 43.

Securin’s quarterly report recently recorded a 7.6% spike in vulnerabilities tied to ransomware, increasing the total number of vulnerabilities from 288 to 310. Quarter 1 of 2022 also saw an increase in the number of APT groups from 40 to 43. In this blog, we will explore in detail the threat posed by APT groups and how using ransomware in their arsenal has made them the most dangerous adversary for critical organizations around the world.

Active APT Groups Operating from Specific Regions

New APT Groups Using Ransomware

The newly identified APT groups using ransomware to target their victims in Q1 2022 are DEV-0401 (China), APT35 (Iran), and Exotic Lily.

APT35

APT35 is an Iranian government-sponsored threat actor group. The group is known for targeting Middle Eastern countries, the United States, and industries such as finance, medical research, energy, chemicals, and telecommunications to collect strategic intelligence.

Previous Attacks

APT35 deployed credentials-stealing malware in oncology, genetic, and neurology research organizations in the United States and Israel, targeting senior medical professionals and their research information. Spear phishing and custom malware are among an array of tactics the group uses against victims. The group also tried to disrupt election campaigns in the 2020 US presidential elections by deploying spear phishing messages to campaign officials—although it did not cause much damage. APT35 is known to conduct mass exploitation attacks using the Microsoft Exchange Server vulnerability on their target networks.

Exotic Lily

The Exotic Lily APT group uses CVE-2021-40444 to target its victims and is tied to Conti ransomware. This group acts as an Internet Access Broker (IAB), i.e., steals credentials from organizations and sells them to the highest bidder. It was discovered by the Google Threat-Analysis group. So far, the techniques they have used involve email campaigns and file sharing software.

Previous Attacks

Exotic Lily first started exploiting the Microsoft MSHTML zero day (CVE-2021-40444) in September 2021. The group then began to actively impersonate employees from companies and delivered payloads containing malware to steal various system details such as the OS versions, user names, and domain names, which are then exfiltrated in the JSON format to a C2. The group has been targeting specific industries such as IT, cybersecurity, and healthcare.

DEV-0401

DEV-0401, a Chinese ransomware attack group, also actively exploited the Log4j vulnerability (CVE-2021-44228) and installed the Night Sky ransomware to extort data from vulnerable servers on the internet.

Previous Attacks

DEV-0401 has previously deployed multiple ransomware families, including LockFile, AtomSilo, and Rook, and has similarly exploited internet-facing systems running Confluence (CVE-2021-26084) and on-premise exchange servers (CVE-2021-34473). The group has used command and control (CnC) servers that spoof legitimate domains.

Although some APT groups are state-sponsored, they have not shied away from targeting other organizations in the private sector. Today, APT groups are more organized, even adopting 9 to 5 job operations, providing employee benefits, and exploiting multiple vulnerabilities. Organizations, private or public, need to be vigilant and deploy adequate measures to ensure that these groups do not take advantage of them.

We have analyzed the latest vulnerabilities, threats, and techniques used by the ransomware groups and compiled a detailed ransomware report. Securin offers Ransomware Attack Surface Assessment to detect vulnerabilities open to ransomware attacks. You can also check out our other services and contact us if you want to build a strong defense of your network architecture.