State-sponsored cyber threat actors have increasingly adopted ransomware as a tool to further their geopolitical and financial objectives. Traditionally focused on cyber espionage and intelligence gathering, these groups now employ ransomware to disrupt critical infrastructure, generate illicit revenue, and mask their infrastructure and other nefarious activity.
Recent incidents highlight this shift. In late 2024, a ransomware attack attributed to the Chinese advanced persistent threat (APT) group known as Emperor Dragonfly, or Bronze Starlight, targeted an Asia-based software and services company.
The threat actor deployed a sophisticated toolset, including a legitimate Toshiba executable to deliver a PlugX backdoor, culminating in the deployment of RA World ransomware with a $2 million ransom demand. This marked a notable transition from the group's previous espionage-focused operations to financially motivated attacks.
This isn’t the only example of a nation state threat actor leveraging ransomware; North Korea's Lazarus Group exemplifies the use of ransomware for financial gain. Beyond traditional espionage, Lazarus has conducted financially motivated attacks, including the infamous 2016 Bangladesh Bank heist.
In 2023, the group intensified its efforts, with reports attributing over $300 million in cryptocurrency thefts to Lazarus, underscoring a strategic pivot towards revenue generation to support national objectives.
The convergence of state-sponsored cyber activities and ransomware poses significant challenges to global security. These attacks not only disrupt essential services but also serve as revenue streams for regimes, potentially funding further malicious operations.
In response, international coalitions have implemented sanctions, bolstered cybersecurity defences, and enhanced intelligence-sharing to counteract this evolving threat landscape.
As state-sponsored groups continue to refine their tactics, the global community must remain vigilant, fostering collaboration and resilience to mitigate the multifaceted risks posed by ransomware in the hands of nation-state actors.
The blurring of the line between cybercrime and state sponsored cyber-attacks is a trend we assess to continue as we progress through 2025.
Reporting
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).