Fraud Management & Cybercrime , Fraud Risk Management , Next-Generation Technologies & Secure Development

Lazarus Group Reportedly Now Wielding Ransomware

Kaspersky Discovers 2 Incidents Involving VHD Ransomware
Lazarus Group Reportedly Now Wielding Ransomware
Illustration shows how the VHD ransomware strain can move laterally through infected networks before delivering the final payload to encrypt files, (Source: Kaspersky)

The Lazarus Group, the North Korean hacking group behind the WannaCry worm, the theft of $81 million from a Bangladesh bank and the attacks on Sony Pictures, apparently is expanding into ransomware, according to the security firm Kaspersky.

See Also: Webinar | Everything You Can Do to Fight Social Engineering and Phishing

After examining two events earlier this year, the Kaspersky analysts concluded that a new form of ransomware called VHD appears to be the work of the Lazarus Group, which has also carried out online bank and cryptocurrency heists on behalf of the government of North Korea (see: North Korean Hacking Infrastructure Tied to Magecart Hits).

Kaspersky did not describe how it came across these two incidents or whether the victims paid any ransom to the attackers. But it said at least one of the attacks happened in Europe.

The VHD ransomware uses a framework called MATA to deliver the final payload, according to the report. Kaspersky released a study earlier this month that delved into other details of MATA and how Lazarus has used it over the past several months around the world (see: Lazarus Group Deploying Fresh Malware Framework).

The Kaspersky analysts also found that VHD uses techniques that enable it to move laterally across a network - techniques that are similar to those found in other malware deployed by Lazarus.

"A spreading utility, discovered along with the ransomware, propagated the program inside the network. It contained a list of administrative credentials and IP addresses specific to the victim, and leveraged them to brute-force the [Server Message Block] service on every discovered machine," Kaspersky analysts Ivan Kwiatkowski, Pierre Delcher and Félix Aime note in the report.

VHD Ransomware

The researchers determined that the VHD file-encrypting malware uses the MATA framework as a backdoor. Once the malicious code establishes an initial foothold within the network, the operators maintain persistence using Lazarus-associated tools and proceed to steal credentials to compromise Active Directory before deploying the VHD ransomware, according to the report.

VHD then spreads across the network by brute-forcing the SMB protocol on connected devices and copying itself, the report notes.

"This stood out to us as an uncharacteristic technique for cybercrime groups; instead, it reminded us of the [advanced persistent threat] campaigns" involving malware wiper campaigns such as Sony, Shamoon and OlympicDestroyer, the analysts note.

In at least one of the VHD incidents that Kaspersky analyzed, the researchers found that the attack began when the operators exploited a vulnerability in a VPN gateway at a targeted organization, according to the report.

Ties to Lazarus Group

The Lazarus Group apparently has been targeting financial organizations and other industries as a way to funnel money to the North Korean government, which has been hurt by economic sanctions.

"The Lazarus Group, AKA Hidden Cobra, has no specific country or industry targets," James McQuiggan, security awareness advocate at KnowBe4, tells Information Security Media Group. "They go after who has the information they want or money they can get from organizations. Government authorities have identified them as collecting over $500 million from various organizations."

Since the Lazarus Group first came to the attention of U.S authorities, they have issued frequent warnings about North Korea-sponsored hackers and have published data on nearly 30 malware variants associated with hacking groups suspected of working with the regime (see: Group Behind WannaCry Now Using New Malware).

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.