Threat analysts from Secureworks have uncovered the activities of two Chinese hacking groups that use ransomware as a decoy for cyber espionage. Ransomware as a decoy allows attackers to cover their tracks, complicate attribution, and distract defenders.

The two cluster of hacker activities are “Bronze Riverside” (APT41), and “Bronze Starlight” (APT10). Both use the HUI Loader to deploy remote access trojans, PlugX, Cobalt Strike and QuasarRAT.

It is unclear whether these ransomware families were developed as decoys to hide other malicious activities. Nothing is certain, because all the discussed ransomware strains are based on publicly available leaked codes.

According to the researchers, “Bronze Starlight” may be creating short-lived ransomware strains just to disguise its cyber espionage operations as a ransomware attack. This is because the five ransomware strains (LockFile, AtomSilo, Rook, Night Sky and Pandora) used during attacks never posed a significant threat.

The cyber activities therefore serve as a reminder of the need to set up robust ransomware detection and protection mechanisms. Systems should also be thoroughly inspected post-cleanup.