Cross-Border Ransomware Attacks Linked To Chinese Actors

03 Nov 2025 --
0 Comments

1. Guan Tianfeng and Sichuan Silence – Ragnarok Ransomware (2020)

Facts:

Guan Tianfeng, a Chinese national, and his company, Sichuan Silence, exploited a vulnerability in Sophos firewalls globally.

They deployed malware that encrypted data on tens of thousands of devices, essentially a ransomware-like operation targeting critical infrastructure.

The attack was cross-border because it affected devices worldwide, including U.S. businesses and infrastructure.

Legal/Criminal Liability:

U.S. authorities charged Guan with computer intrusion, conspiracy to damage protected computers, and identity theft.

The U.S. Treasury blocked any assets linked to Sichuan Silence and prohibited U.S. citizens from doing business with the company.

Significance: This shows a Chinese company being used as a tool for cross-border ransomware attacks, blurring corporate and state responsibility.

2. APT41 / Double Dragon – Mixed Espionage and Cybercrime

Facts:

APT41 is a Chinese hacker group known for dual operations: espionage for the state and financially motivated attacks including ransomware and cryptojacking.

They conducted intrusions into over 100 organizations across multiple countries.

Targets included tech firms, telecom companies, and gaming companies, often using malware to maintain persistent access.

Legal/Criminal Liability:

DOJ indicted multiple members on computer fraud, wire fraud, and intentional damage to protected computers.

Some individuals were arrested abroad, while others remain in China, making direct prosecution difficult.

Significance: Demonstrates the dual-use nature of Chinese cyber actors—both criminal and state-directed activity.

3. Flax Typhoon / Integrity Technology Group (2021–2025)

Facts:

A Chinese-linked hacking group called Flax Typhoon (also known as Ethereal Panda) carried out widespread malware attacks, compromising infrastructure worldwide.

Integrity Technology Group provided the technical infrastructure for these attacks.

While primarily espionage-focused, malware deployment could have been leveraged for ransomware or encryption-style attacks.

Legal/Criminal Liability:

OFAC sanctions blocked U.S. access to their assets, citing cross-border cyber threats.

Highlights how private Chinese companies can serve as enablers for cross-border cybercrime with potential ransomware components.

4. i-Soon / APT27 Hacker-for-Hire Network

Facts:

Twelve Chinese nationals, including two government officers, operated a hacker-for-hire network under Anxun/i-Soon.

Targeted critical systems globally using malware like PlugX.

Attacks were often persistent and included theft of sensitive data, sometimes impacting commercial networks that could be later used for ransomware-style extortion.

Legal/Criminal Liability:

DOJ charged participants with conspiracy to commit computer intrusion and unauthorized access to protected computers.

Some attackers were working directly for the Ministry of Public Security.

Significance: Blends state involvement with criminal activities, showing legal responsibility can extend to both individuals and organizations acting as fronts.

5. HAFNIUM Microsoft Exchange Exploits (2021)

Facts:

HAFNIUM, a China-linked group, exploited Microsoft Exchange vulnerabilities worldwide.

Web shells and persistent malware were installed to exfiltrate data and gain long-term access.

Though not classic ransomware, the malware could be used to encrypt or hold systems hostage if desired.

Legal/Criminal Liability:

Individuals involved were charged with conspiracy, wire fraud, and intentional damage to protected computers.

Significance: Illustrates how cross-border cyber operations from China can lead to criminal liability even when ransomware isn’t the primary tool.

6. WannaRen / Chinese Hackers Targeting Healthcare (2019–2020)

Facts:

Chinese-linked hackers targeted hospitals and clinics in multiple countries with malware capable of encrypting patient data for ransom.

The attack disrupted hospital operations, risking patient safety.

Legal/Criminal Liability:

Though cross-border arrests were challenging, indictments were filed in the U.S. against some alleged collaborators.

Demonstrates that cross-border ransomware attacks can implicate both criminal liability and potential violations of international cyber norms.

Key Takeaways Across Cases

Cross-Border Impact: Most attacks affected multiple countries, making enforcement and prosecution complex.

State vs. Private Actors: Many Chinese hackers are either state-sponsored or work through private companies, complicating attribution.

Criminal Liability: U.S. law often applies charges like conspiracy, wire fraud, unauthorized access, and intentional damage to protected computers.

Sanctions as a Tool: When prosecution is difficult, governments use financial sanctions and asset freezes.

Hybrid Attacks: Even when not labeled as ransomware, malware and persistent intrusion techniques create conditions where ransomware liability could arise.