It is assumed that the activity cluster of ransomware is attributed to a China-based APT group called Bronze Starlight. This hacking group is assumed to be deploying various post-intrusion ransomware such as LockFile, Rook, Pandora, Atom Silo, and LockBit 2.0.
This ransomware could also potentially be distracting the victims from identifying the true intent behind their attacks. Furthermore, such ransomware attacks also reduce the likelihood that such attacks would be linked back to a government-sponsored Chinese threat group.
These ransomware attacks are mostly targeted at a small number of users, and they occur in brief spells before they cease operations. The victims include pharmaceutical companies operating in Brazil and US and US-based media companies that have offices in Hong Kong and China. Other victims include a US law firm, an electronic component designer and manufacturer in Lithuania and Japan, etc.
Bronze Starlight has been active since mid-2021, and has also been tracked by Microsoft under the emerging threat cluster moniker DEV-0401.
The group has known to cycle through almost six different ransomware strains such as LockFile in August, Atom Silo in October, Rook in November, and Night Sky in December. Recently, in February, they used Pandora and LockBit 2.0 in April.
There are also various similarities between the ransomware, which may be the reason why they may have been used by this hacking group. Rook, Night Sky and Pandora are derived from Babuk ransomware, whose source code leaked in September 2021. Therefore, there may be a common actor behind both. Additionally, many similarities between LockFile and Attom Silo have also been uncovered.
Once Bronze Starlight gains a foothold inside a network. They are known to employ techniques such as Cobalt Strike and WMI (Windows Management Instrumentation) for lateral movement. However, they have recently begun to use the Silver framework instead of Cobalt Strikes in their attacks.
Some researchers have suggested that this ransomware may be a smokescreen to hide the theft of intellectual property or conducting espionage rather than for financial gain.