Threat Actors Attacking Organization in Thailand to Deploy Ransomware

Thailand has emerged as a significant target for sophisticated ransomware attacks, with a dramatic 240% increase in cyber campaigns recorded in 2024 compared to the previous year.

This surge reflects heightened geopolitical tensions and strategic interest in Thailand’s expanding digital economy, which has created a fertile ground for cyber threat actors seeking financial gain or intelligence.

The nation’s position as a regional financial hub and its rapid digital transformation have inadvertently exposed critical infrastructure to exploitation, creating vulnerabilities that malicious actors actively exploit.

The ransomware landscape in Thailand has evolved significantly since early 2023, with attacks becoming more targeted and technically advanced.

According to recent data, ransomware victims in Thailand increased fivefold from 2022 to 2023, with 35 confirmed victims, while 2025 has already recorded 8 victims as of April.

These attacks predominantly target web applications, operating systems, and databases, demonstrating the threat actors’ focus on compromising core infrastructure and customer-facing assets that contain valuable data.

Cyfirma researchers have identified that over 70% of threat actors targeting Thailand originate from China and Russia, with significant contributions from North Korean groups as well.

Their analysis reveals a complex threat landscape dominated by both state-sponsored Advanced Persistent Threats (APTs) and cybercriminal organizations, with prominent actors including MISSION2025, Lazarus Group, and TA505 demonstrating sustained interest in Thai organizations.

The most alarming finding from Cyfirma’s investigation is the dominance of LockBit3, which accounts for over 52.78% of all ransomware activity targeting Thailand.

Other active groups like RansomHub and Qilin represent the expanding Ransomware-as-a-Service (RaaS) ecosystem, enabling even low-skilled attackers to deploy sophisticated malware.

Consumer Goods & Services, IT, and Manufacturing industries face the highest risk, likely due to their economic importance and digital exposure.

Top Targeted Industries in Thailand (Source – Cyfirma)

Inside LockBit3’s Infection Chain

LockBit3’s infection mechanism typically begins with phishing emails containing malicious document attachments or through exposed Remote Desktop Protocol (RDP) services.

Once initial access is established, the malware employs PowerShell scripts to disable security features and establish persistence. A typical command might look like:-

PowerShell.exe -ExecutionPolicy Bypass -Command "$s=New-Object IO.MemoryStream(,[Convert]::FromBase64String('BASE64_ENCODED_PAYLOAD')); IEX (New-Object IO.StreamReader(New-Object IO.Compression.GzipStream($s,[IO.Compression.CompressionMode]::Decompress))).ReadToEnd()"

The ransomware then enumerates network resources using Windows Management Instrumentation (WMI) queries and leverages tools like Mimikatz for credential harvesting before encrypting files with robust RSA-2048 and AES-256 algorithms.

Cyfirma researchers noted that LockBit3 operators carefully select their targets in Thailand, often performing extensive reconnaissance and data exfiltration before deploying encryption payloads, maximizing both ransom potential and double-extortion leverage through threats to publish stolen data on leak sites.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy

The post Threat Actors Attacking Organization in Thailand to Deploy Ransomware appeared first on Cyber Security News.