Inside the HQ of the Chinese cyber ransom gang

With a young man in shorts strumming his guitar and desks littered with water bottles and coffee cups, it could be a scene from any trendy tech start-up firm.

But this picture is believed to be the first from inside the lair of a so-called ransomware gang.

The fast-growing crime involves hackers seizing control of an IT system or data and demanding money to release it.

In the photograph – accompanied by a caption in Chinese reading ‘Wow! Little brother playing guitar’ – a second man peers at a screen, possibly orchestrating a fresh crime.

This picture is believed to be the first from inside the lair of a so-called ransomware gang

Unearthed by cyber security firm Internet 2.0, the photo is thought to show members of APT41, a Chinese group blamed for more than 100 hacks, including ransomware attacks, up to last year.

The FBI issued a wanted poster last September featuring the faces of five APT41 members wanted for questioning over a string of raids in the US, UK, Australia and Taiwan. 

The group is also suspected of spying for the Chinese regime, including during the pro-democracy protests in Hong Kong in 2018.

Ransomware profits last year are conservatively estimated at £250 million. According to research by cryptocurrency experts Chainalysis, the gangs saw profits leap by more than 300 per cent last year. 

Apart from the US, Britain is the most targeted country, with schools, charities and even individuals now added to existing targets such as large companies and Government departments.

Since December, more than 100 UK schools have been attacked, while people and organisations with Microsoft Exchange email accounts have also fallen prey to extortion bids.

Even The Woodland Trust, a conservation charity, has not been spared. Hackers targeted the group in December, causing problems for several months.

Security experts fear the criminals will switch their attention to the health service, as they did in Germany last September when they crippled a large hospital. 

The fast-growing crime involves hackers seizing control of an IT system or data and demanding money to release it

The fast-growing crime involves hackers seizing control of an IT system or data and demanding money to release it

Ciaran Martin, who was in charge of GCHQ’s National Cyber Security Centre until last August, said: ‘Right through the pandemic, the main worry was that someone would ransomware a hospital.’

Internet 2.0 co-founder David Robinson said: ‘APT41 is into everything. Ransomware has been a big part of their operation and what we’ve seen around the world for the last year is an unrelenting, sustained attack on organisations and individuals.’ 

The suspected APT41 hipster hackers in the photograph are in China, but other ransomware gangs are based in Russia, several former Soviet states, North Korea, Iran and parts of West Africa.

Thought to be in Russia, the notorious REvil group has targeted Microsoft emails and it is suspected of an attack against the Harris Federation, a group of nearly 50 primary and secondary schools in and around London. The gang last year also received £1.8 million from Travelex, the now bankrupt UK-based foreign currency exchange service, after taking control of its systems.

High street retailer Fat Face is the latest victim. It is understood to have paid £1.45 million ransom to a gang called Conti which stole 200 gigabytes of data, including customer information, and locked the firm out of its systems in January. Conti is thought to be linked to a suspected Russian ransomware cartel called Ryuk.

The Kremlin is accused of turning a blind eye as long as Russian firms and interests are spared.

The UK Government in 2020 announced the creation of a 3,000-strong National Cyber Force that will bring together specialists from GCHQ, the Ministry of Defence and the intelligence services to tackle the issue.

But security experts say the Government must make it harder for firms to pay up. At present, some companies have insurance policies that allow them to make claims for ransom payments.

‘We’ve got ransomware wrong as a society and criminals have clocked that it’s a lucrative, successful line of business,’ Mr Martin said. ‘Ransomware is increasing because it pays.’