Chinese threat actor group APT27 (also known as Emissary Panda) and Winnti have been identified as the culprit behind multiple ransomware attacks against firms last year. New research from Security Joes and Pro reveals how they found the threat actors behind the attacks after investigating an incident in which ransomware encrypted several core servers at a victim organization. The group found that samples of the malware were linked to the DRBControl Campaign, which targeted gaming companies and is known to associate with APT27 and Winnti.
Although Winnti historically conducts financially motivated attacks whereas APT27 focuses primarily on data theft, the latter has been linked to one ransomware attack. There are strong similarities in code and TTPs between APT27 and the attacks. The incidents occurred during the peak of Covid-19 cases in China, amid lockdown measures. Therefore, Security Joes and Pro state that a switch to a financial focus would not be unheard of. The attack itself was not particularly sophisticated, according to the researchers.