Ransomware: A New Kind of Cyberattack
A new and alarming cyber threat has emerged, showing a strong link between espionage and ransomware attacks. The China-based hacking group Emperor Dragonfly has used tools previously linked to cyber espionage. This group, typically known for spying activities, has unexpectedly deployed these advanced tools to launch a ransomware attack.
In late 2024, the hackers targeted an Asian software and services company, encrypting its systems and demanding a ransom of $2 million. Cybersecurity experts who studied the attack found that the group used a toolset previously linked to state-backed spying operations. These tools, which are typically used to secretly monitor and steal information from high-profile organizations, were instead deployed to lock up data and demand money.
One of the key concerns about this attack is that many espionage tools used by China-based hacking groups are not available to the general public. This suggests that the attackers had access to advanced capabilities typically reserved for state-sponsored operations. While it is common for cyber espionage groups to share tools, it is rare for these tools to appear in financially motivated cybercrimes.
Back in July 2024, cybersecurity researchers had already suspected a possible connection between Emperor Dragonfly and RA World ransomware. However, the link was uncertain at that time. RA World is a ransomware strain that emerged from the RA Group, a hacking collective that first appeared in 2023. This group’s attacks are based on Babuk, a notorious ransomware strain.
Espionage Techniques Used in Ransomware
Between July 2024 and January 2025, Emperor Dragonfly focused on cyber espionage, targeting government ministries and telecom companies across Southeast Europe and Asia. The group’s goal was to infiltrate networks and maintain long-term access without being detected.
During these attacks, the hackers used a powerful backdoor malware called PlugX, also known as Korplug. This malware was hidden inside a Toshiba executable file (toshdpdb.exe) and executed using a technique called DLL sideloading. This method allowed the hackers to insert a malicious file (toshdpapi.dll) into legitimate software, making it harder for security systems to detect.
The attackers also deployed additional tools to strengthen their control over compromised networks. One of these tools was NPS proxy, a software developed in China that enables secret network communication. They also used encrypted malicious payloads secured with the RC4 encryption algorithm, making them difficult to analyze or block.
In November 2024, the same PlugX malware was used in another attack, this time against a South Asian software company. However, this attack differed from previous espionage attempts. After gaining access to the network and establishing control, the attackers launched a ransomware operation using RA World. This shift from espionage to ransomware highlights how advanced hacking groups are adapting their methods for financial gain.
Exploiting Vulnerabilities for Financial Gain
To carry out these attacks, Emperor Dragonfly exploited a known security vulnerability in Palo Alto Networks’ PAN-OS software (CVE-2024-0012). This vulnerability allowed them to break into corporate networks and install their malicious software. Once inside, they used the same Toshiba executable trick to install PlugX malware and establish control over the system.
After secretly gathering information and ensuring their presence remained undetected, the hackers took the next step by deploying RA World ransomware. This move locked the victim’s data and disrupted operations, leaving the company with no choice but to consider paying the ransom.
The growing connection between state-backed cyber operations and financially motivated attacks raises serious concerns. It suggests that some cyber operatives involved in espionage may also be using their access for personal financial gain. Instead of only spying on high-profile organizations, they are now using their skills to launch ransomware attacks and demand large sums of money.
Cybersecurity experts have released a detailed report outlining the indicators of compromise (IoCs) associated with these attacks. These IoCs provide crucial information that can help companies detect and prevent similar intrusions before they cause significant damage.
