A new report by Sygnia uncovered that attacks led by the Night Sky and Cheerscrypt ransomware groups originated from the same threat actor, dubbed ‘Emperor Dragonfly, exposing newer strategies of industry threat actors to dodge exposure by appearing as several, smaller groups.
Sygnia has become the first to identify that Cheerscrypt, like Night Sky, is another ransomware family developed by Emperor Dragonfly. Emperor Dragonfly manages all stages of the attack lifecycle on their own instead of operating in an affiliate model. It also refrains from purchasing initial access from other threat actors. By rebranding their ransomware payloads every few months, Emperor Dragonfly manages to stay under the radar, instead of building up their reputations like other notorious groups.
Sygnia also discovered that threat actors deployed open-source tools that were written by Chinese developers for Chinese users. This reinforced previous claims that the Emperor Dragonfly operators are based in China, despite Cheerscrypt's pro-Ukrainian branding.
“In the world of ransomware affiliates and leaked ransomware source code, it is often difficult to connect two ransomware strains with one threat actor,” said Amnon Kushnir, incident response and threat hunting team leader at Sygnia.
Kushnir said that the discovery plays a crucial role in helping their clients defend their systems against similar threats.