Vice Society Ransomware gang releases stolen data from the LAUSD school system
October 2, 2022
Avast releases free ransomware decryptor for the variants of the MafiaWare666 ransomware
October 5, 2022

Cheerscrypt ransomware has been linked to the Chinese hacking group, Emperor Dragonfly

On Monday 3rd of October 2022, the cyber security company, Sygnia released an article that stated that they had investigated a Cheerscrypt ransomware attack which utilized Night Sky ransomware TTPs and then on further analysis, it was revealed that Cheerscrypt and Night Sky are both rebrands of the same threat group, dubbed ‘Emperor Dragonfly’.

The TTPs that were identified were the exploitation of the Apache ‘Log4Shell’ Log4j vulnerability (CVE-2021-44228) to execute PowerShell commands, which initiates a DLL-sideloading technique characteristic as well as the threat actors dropping a Cobalt Strike beacon connected to a C2 address previously associated with Night Sky operations.

In June 2022, both Secureworks and Microsoft reported that the ‘Emperor Dragonfly’ group had been observed using multiple ransomware families like Night Sky, Rook, Pandora, and AtomSilo to conduct government-sponsored cyberespionage under the disguise of being financially-motivated attacks. Therefore, Cheerscrypt is believed to be another one of Emperor Dragonfly’s continual payload rebranding efforts, attempting to evade attribution.

Leave a Reply

Your email address will not be published.