Lazarus Group Reportedly Now Wielding RansomwareKaspersky Discovers 2 Incidents Involving VHD Ransomware
The Lazarus Group, the North Korean hacking group behind the WannaCry worm, the theft of $81 million from a Bangladesh bank and the attacks on Sony Pictures, apparently is expanding into ransomware, according to the security firm Kaspersky.
See Also: Threat Briefing: Ransomware
After examining two events earlier this year, the Kaspersky analysts concluded that a new form of ransomware called VHD appears to be the work of the Lazarus Group, which has also carried out online bank and cryptocurrency heists on behalf of the government of North Korea (see: North Korean Hacking Infrastructure Tied to Magecart Hits).
Kaspersky did not describe how it came across these two incidents or whether the victims paid any ransom to the attackers. But it said at least one of the attacks happened in Europe.
The VHD ransomware uses a framework called MATA to deliver the final payload, according to the report. Kaspersky released a study earlier this month that delved into other details of MATA and how Lazarus has used it over the past several months around the world (see: Lazarus Group Deploying Fresh Malware Framework).
The Kaspersky analysts also found that VHD uses techniques that enable it to move laterally across a network - techniques that are similar to those found in other malware deployed by Lazarus.
"A spreading utility, discovered along with the ransomware, propagated the program inside the network. It contained a list of administrative credentials and IP addresses specific to the victim, and leveraged them to brute-force the [Server Message Block] service on every discovered machine," Kaspersky analysts Ivan Kwiatkowski, Pierre Delcher and Félix Aime note in the report.
The researchers determined that the VHD file-encrypting malware uses the MATA framework as a backdoor. Once the malicious code establishes an initial foothold within the network, the operators maintain persistence using Lazarus-associated tools and proceed to steal credentials to compromise Active Directory before deploying the VHD ransomware, according to the report.
VHD then spreads across the network by brute-forcing the SMB protocol on connected devices and copying itself, the report notes.
"This stood out to us as an uncharacteristic technique for cybercrime groups; instead, it reminded us of the [advanced persistent threat] campaigns" involving malware wiper campaigns such as Sony, Shamoon and OlympicDestroyer, the analysts note.
In at least one of the VHD incidents that Kaspersky analyzed, the researchers found that the attack began when the operators exploited a vulnerability in a VPN gateway at a targeted organization, according to the report.
Ties to Lazarus Group
The Lazarus Group apparently has been targeting financial organizations and other industries as a way to funnel money to the North Korean government, which has been hurt by economic sanctions.
"The Lazarus Group, AKA Hidden Cobra, has no specific country or industry targets," James McQuiggan, security awareness advocate at KnowBe4, tells Information Security Media Group. "They go after who has the information they want or money they can get from organizations. Government authorities have identified them as collecting over $500 million from various organizations."
Since the Lazarus Group first came to the attention of U.S authorities, they have issued frequent warnings about North Korea-sponsored hackers and have published data on nearly 30 malware variants associated with hacking groups suspected of working with the regime (see: Group Behind WannaCry Now Using New Malware).