Euro Security Watch with Mathew J. Schwartz

Blockchain & Cryptocurrency , Business Email Compromise (BEC) , Critical Infrastructure Security

Cause for Concern? Ransomware Strains Trace to North Korea

Attackers Appear to Be Testing Profit-Making Potential of Crypto-Locking Malware
Cause for Concern? Ransomware Strains Trace to North Korea
Visualizing code in strains of ransomware that trace to North Korean hackers (Source: Trellix)

If you were a nation with legions of hackers at your disposal, seeking to sidestep crippling international sanctions, would you look to ransomware to fund your regime?

See Also: Realities of Choosing a Response Provider

That's one obvious question posed by new research that finds state-sponsored North Korean hackers haven't stopped experimenting with ransomware.

Specifically, a researcher at security firm Trellix reports finding signs that four ransomware strains recently spotted in the wild trace to North Korean government hackers.

The U.S. State Department has posted a reward for information leading to the identification or capture of North Korean hackers.

Of course, the Pyongyang-based Democratic People's Republic of Korea, as it's officially known, doesn't shy away from using various illicit tactics to turn a profit, including online bank heists and regularly hitting cryptocurrency exchanges. Why should ransomware be any different?

Lessons learned from WannaCry might be one answer. In May 2017, the crypto-locking ransom worm struck worldwide and was later attributed to Lazarus Group - aka APT 38, Hidden Cobra, Unit 180 - which has been tied to North Korea's primary intelligence agency, the Reconnaissance General Bureau. The fact that WannaCry lacked the ability to receive ransom payments suggested the malware might have gotten out of control before its developers were ready for it to be deployed. Perhaps any further mass ransomware campaign that might get traced to Pyongyang is seen by leaders as still being too politically toxic?

Sanctions might be another answer: the U.S. Treasury Department's Office of Foreign Assets Control continues to expand its sanctions against Lazarus Group as the group gets blamed for more attacks, including the March theft of $615 million in cryptocurrency from the Ronin decentralized finance service. The OFAC sanctions prohibit anyone from conducting any transactions involving specified groups or wallet addresses.

Signs of Fresh Crypto-Locking Malware

Nevertheless, while ransomware continues to largely be the province of criminal groups, and in particular ransomware-as-a-service operations, post-WannaCry "there have also been attempts made to step into the world of ransomware" by DPRK hackers, says Christiaan Beek, the lead scientist and senior principal engineer of Trellix Threat Labs, in a recent report.

That includes VHD ransomware, which was first spotted in March 2020, and which researchers found was being deployed via Lazarus' cross-platform malware delivery system, called MATA.

In early 2021, meanwhile, security researchers found that newly deployed TFlower ransomware appeared to be using the MATA framework, suggesting that it was being deployed by North Koreans.

Might DPRK's ransomware experiments be continuing?

To help answer that question, Beek began looking for any malware that reused VHD ransomware code. He found code overlaps between VHD and these four ransomware families: BEAF, PXJ, ZZZZ and CHiCHi. In addition, he found that the same ProtonMail email address was used as a contact point for samples of both the CHiCHi and ZZZZ ransomware families.

Beek says he used "a Hilbert curve mapping, which is used to map a string of data into an alternate dimensional space," to help visualize code reuse. (Source: Trellix)

Beek says attacks involving those four strains of ransomware appeared to focus on targets in the Asia-Pacific region but were not widely deployed. "Besides some reports, not much is known about the victims as there were no leak pages or negotiation chats, which are now common for groups to utilize," he says. In addition, whatever ransoms might have been demanded, "the paid ransom amounts were relatively small," and none of the cryptocurrency wallets connected to the different strains appeared to interact with each other.

Experiments Continue

Hence Beek says all signs points to hackers associated with DPRK continuing to test ransomware and perhaps occasionally to use it as a distraction to facilitate other attacks - as seen in an online heist from a bank in Taiwan in 2017 - but not to run full-fledged campaigns.

"What we have observed so far is that source code of a ransomware family was bought, modified and used in the APAC region," he tells me. "However, to date, we have found that the amount of attacks recorded and reported are low. Compared to the larger RaaS campaigns, they resemble more of an 'attempt' as opposed to a sophisticated setup operation."

One likely explanation for DPRK hackers not focusing on ransomware: Time is money. For criminals, ransomware and business email compromise schemes continue to be two relatively quick, easy, safe and lucrative strategies.

But the DPRK hackers face a significant challenge, which is that the OFAC sanctions have prohibited funds from being paid to them and could be easily expanded to cover any new cryptocurrency wallets that the hackers might try to use for receiving ransom payments.

"The Democratic People's Republic of Korea is already under heavy sanctions to limit their movements," Beek says. "By following in the footsteps of ransomware crews like Conti and actively attacking Western targets including critical infrastructure, they risk more sanctions against them."

Hence so far DPRK has likely decided that other strategies offer an easier payday. "Attacking cryptocurrency exchanges and quickly using mixing services to exchange against less traceable cryptocurrency or cash it out and launder it in other ways is effective and comes with less risk," Beek says.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.