Night Sky and Cheerscrypt: Revealing a Unified Chinese Ransomware Group

Key Takeaways

• Sygnia recently investigated a Cheerscrypt ransomware attack which utilized Night Sky ransomware TTPs. Further analysis revealed that Cheerscrypt and Night Sky are both rebrands of the same threat group, dubbed ‘Emperor Dragonfly’ by Sygnia.
• ‘Emperor Dragonfly’ (A.K.A. DEV-0401 / BRONZE STARLIGHT) deployed open-source tools that were written by Chinese developers for Chinese users. This reinforces claims that the ‘Emperor Dragonfly’ ransomware operators are based in China.
• Contrary to publicly available information, Cheerscrypt ransomware makes use of payloads that target both Windows and ESXi environments.

Introduction

Sygnia recently investigated an incident involving Cheerscrypt ransomware. As the investigation progressed, it became clear that the threat actors had successfully maintained their presence inside the compromised network for several months. During the investigation, our incident response team made a significant discovery: the Tactics, Techniques and Procedures (TTPs) that were used in this attack strongly resemble those used by another ransomware group – Night Sky.

The publicly-available information on Cheerscrypt is sparse and focuses on the final payload – the ransomware itself – and the subsequent encryption of ESXi servers. However, in this incident, Windows servers were also encrypted by Cheerscrypt’s ransomware encryptor.

Sygnia decided to investigate the threat actors behind this attack, in an attempt to attribute the group to a known actor. Although Night Sky was previously identified as being associated with another threat group, Cheerscrypt was unknown. The only clue to their identity was that the threat actors behind Cheerscrypt present themselves as pro-Ukrainian, indicated by the phrase “Слава Україні!” (“Glory to Ukraine!”) and the Ukrainian flag that can be found on their dark web leak site.