Up until now, we highlighted aspects in which ransomware gangs have become similar to state-sponsored groups. But the similarity between the two types of threat actors is not one-sided, as reæfected b the fact that se eral state-sponsored APT groups are known to be using ransomware. In Jul 2020, it as re ealed that La arus, the notorious North Korea-sponsored hacking group, as using a ne ransom are named VHD. La arus is kno n for conducting both c ber-espionage and åfnanciall moti ated campaigns, in an attempt to generate revenues for the North Korean regime 30 . In October 2020, it as reported that Iranian sponsored APT group MuddyWater has been using a ransomware dubbed Thanos since September 2020, and most recentl , in Januar 2021 researchers re ealed that Chinese state-sponsored group APT27 has turned to using ransomware 31 . But, perhaps the most notable example is the Pay2Key ransomware. Starting from mid-October 2020, the ne Pa 2Ke ransom are strain targeted a number of Israeli organi ations, and soon launched a Dark Web leaks ebsite, here it leaked the data it e åfltrated from ictims ho did not pa the ransom demand. Researchers who investigated the ransomware found links between the ransomware and an Iranian cryptocurrency exchange, leading them to attribute the attacks to Iranian threat actors 32 . Later, it as assessed ith medium to high conåfdence that Pa 2Ke ransom are is operated by Iranian state-sponsored group Fox Kitten 33 . The attackers’ moti e as believed to be the ongoing political tension between Iran and Israel, that was also reæfected b reports of mutual c ber-attacks bet een both countries during 2020. Notably, in the case of the more recent victims, the attackers even skipped the ransom are pa loads deplo ment stage, and simpl e åfltrated data and leaked it online, possibl to cause fear and reputational damage to Israel, hile camouæfaging the attackers’ identit and their end game, hich in the case of Fo Kitten, is most probably espionage 34 . As stated above, it is possible that we will see more state-sponsored groups adopting the use of the ransom are and data e åfltration/leak combination to hide their real, ultimate goals. 5.1 STATE-SPONSORED RANSOMWARE ATTACKS https:// . dnet.com/article/recent-ransom are- a e-targeting-israel-linked-to-iranian-threat-actors/ https://www.bleepingcomputer.com/news/security/iranian-nation-state-hackers-linked-to-pay2key-ransomware/ https:// . dnet.com/article/kaspersk -north-korean-hackers-are-behind-the- hd-ransom are/ https:// .clearsk sec.com/ p-content/uploads/2020/12/Pa 2Kitten.pdf https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/ 34. 31. 32. 33. 30 24 | The Ransomware Landscape