It is not an exaggeration to say APT41 is among the most prolific and sophisticated Chinese state-sponsored groups. The US 2020 indictment did not hinder or even slow down APT41 from launching new attacks, as we observe its target scope and arsenal continue to expand. APT41 is also one-of-a-kind, since it has been known to conduct financially motivated cybercrime, which are not common practices among Chinese APT groups. What’s noteworthy is that our research suggests that APT41 has been actively engaged in ransomware attacks as early as 2019.

In this presentation, we will share our latest findings on APT41’s engagement in ransomware attacks. Over the past three years, we have found traces of APT41's ransomware campaign against at least 10 industries across 11 countries in Asia, Europe, and America.

We will also try to answer the question: Why did APT41 start deploying ransomware in their operations? Is it for camouflaging or money making? By comparing APT41's espionage and ransomware campaigns, we found that there were some differences in terms of malware usage and the level of sophistication, despite C2 and tactics overlaps. Notably, technical indicators suggest that APT41 might be connected to the Hades ransomware gang. Given that APT41 is a group of private contractors operating on behalf of the Chinese authorities, we assess that APT41 might be operating with multiple teams with different goals, therefore, the different aims of ransomware usage.

Their latest activities once again prove that the group still poses a significant risk to organizations worldwide. We believe threat intelligence and attribution process can help the defense side to make better strategy before APT41 strikes again.