Up until now, we highlighted aspects in which ransomware gangs have become similar to state-sponsored groups. But the similarity between the two types of threat actors is not one-sided, as reflected by the fact that several state-sponsored APT groups are known to be using ransomware. In July 2020, it was revealed that Lazarus, the notorious North Korea-sponsored hacking group, was using a new ransomware named VHD. Lazarus is known for conducting both cyber-espionage and financiallymotivated campaigns, in an attempt to generate revenues for the North Korean regime 30 . In October 2020, it was reported that Iranian sponsored APT group MuddyWater has been using a ransomware dubbed Thanos since September 2020, and most recently, in January 2021 researchers revealed that Chinese state-sponsored group APT27 has turned to using ransomware 31 . But, perhaps the most notable example is the Pay2Key ransomware. Starting from mid-October 2020, the new Pay2Key ransomware strain targeted a number of Israeli organizations, and soon launched a Dark Web leaks website, where it leaked the data it exfiltrated from victims who did not pay the ransom demand. Researchers who investigated the ransomware found links between the ransomware and an Iranian cryptocurrency exchange, leading them to attribute the attacks to Iranian threat actors 32 . Later, it was assessed with medium to high confidence that Pay2Keyransomware is operated by Iranian state-sponsored group Fox Kitten 33 . The attackers’ motive was believed to be the ongoing political tension between Iran and Israel, that was also reflected by reports of mutual cyber-attacks between both countries during 2020. Notably, in the case of the more recent victims, the attackers even skipped the ransomware payloads deployment stage, and simply exfiltrated data and leaked it online, possibly to cause fear and reputational damage to Israel, while camouflaging the attackers’ identity and their end game, which in the case of Fox Kitten, is most probably espionage 34 . As stated above, it is possible that we will see more state-sponsored groups adopting the use of the ransomware and data exfiltration/leak combination to hide their real, ultimate goals. 5.1 STATE-SPONSORED RANSOMWARE ATTACKS https://www.zdnet.com/article/recent-ransomware-wave-targeting-israel-linked-to-iranian-threat-actors/ https://www.bleepingcomputer.com/news/security/iranian-nation-state-hackers-linked-to-pay2key-ransomware/ https://www.zdnet.com/article/kaspersky-north-korean-hackers-are-behind-the-vhd-ransomware/ https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/ 34. 31. 32. 33. 30 24 | The Ransomware Landscape