I Don’t Think We’re in <Western country> Anymore: Ransomware TTPs from Intrusions and Actors in the Asia Pacific

Jono Davis

Across much of the research done on ransomware – be it the operations themselves, or affiliate tools, techniques, and procedures (TTPs) – the vast majority covers case studies from the Western hemisphere. Given the leak site statistics, this is no real surprise, with over 73% of leak site victims in 2023 being based in countries that make up “The West”. However, the Asia Pacific region is alive and well with ransomware, with a combination of similar techniques used in Western-targeted intrusions, as well as several unique TTPs that make the region’s ransomware actors unique.

In collaboration with multiple partner firms within the Asia Pacific region, combined with our own directed research, the PwC Global Threat Intelligence team will use this talk as an to lay out multiple, individual, case studies, involving ransomware operations impacting numerous entities across the continent. These case studies will include: incident response intrusions involving several highly likely non-Asia-based affiliates targeting an Asia-based entity (using bespoke TTPs not seen in future operations), as well as assessed likely Asia-based affiliates with their own operating procedures. We will also use this talk to provide an analysis into a ransomware threat actor’s toolset, including the use of Chinese GitHub repositories and scripts that are common in the region, but rarely used by Europe-based affiliates.

Alongside each case study, we provide a breakdown of where in the infection chain defences could have been placed to mitigate the particular TTPs from being successful. In doing so, we hope to provide actionable intelligence from our primary source data.