RA World Ransomware Attack Leverages Espionage-Linked Toolset in Unexpected Twist

A recent RA World ransomware attack has raised eyebrows among cybersecurity researchers due to its use of tools previously linked to China-based espionage groups. According to Symantec, the incident occurred in late 2024, targeting an Asian software and services company with a $2 million ransom demand.

The attackers deployed a legitimate Toshiba executable (toshdpdb.exe) on the victim’s device, which then connected to a malicious DLL to execute a PlugX backdoor—a tool historically associated with cyber-espionage rather than ransomware.

Exploitation of Vulnerabilities & Credential Theft

Although the initial infection vector remains unknown, the attackers claimed they gained access by exploiting a vulnerability in Palo Alto PAN-OS (CVE-2024-0012). From there, they:

• Extracted administrative credentials from the company's intranet.
• Compromised a Veeam server to steal Amazon S3 cloud credentials.
• Exfiltrated data from S3 storage before encrypting the company’s computers.

Potential Links to Emperor Dragonfly (Bronze Starlight)

Based on their tactics, Symantec researchers suspect the involvement of Emperor Dragonfly (aka Bronze Starlight)—a China-linked group previously known for using ransomware to disguise intellectual property theft.

Interestingly, prior attacks using the same toolset—targeting government entities in Southeastern Europe, Southeast Asia, and the telecom sector—were focused solely on espionage rather than ransomware.

Espionage Tools in Cybercrime? A Rare Occurrence

Symantec noted that while China-linked espionage groups sometimes share tools, many of these aren't publicly accessible and are rarely used for cybercrime. The use of such resources in a ransomware attack is an unusual and concerning development in the evolving cyber threat landscape.