The Lazarus Group, the infamous North Korean hacking crew, is now targeting victims with its own home-grown ransomware as it looks to enter “big-game hunting”.
- Best antivirus: keep your data and devices safe from hackers
- What to do after a data breach: here are the steps you should take
- Latest: 10 ways to get the most out of your VPN
First reported by Russian security researchers in the spring of 2020, the VHD ransomware is used for extracting money from victims and differs from other forms of ransomware as it utilizes a "self-replication method" not commonly seen in regular cybercrime-oriented malware.
“This malware’s use of a spreading utility compiled with victim-specific credentials was reminiscent of APT campaigns,” said the Kaspersky researchers in a media release.
APT is short for "advanced persistent threat" and generally means that the attacker is sponsored or backed by a nation-state with political or strategic motives, instead of being part of a criminal group out to make money.
Kaspersky suggested that “the move by Lazarus to create and distribute ransomware signifies a change of strategy and indicates a readiness to enter the big hunt for financial gain”.
The Lazarus Group is one of the most reckless and destructive hacking groups in existence. It created the 2017 WannaCry worm, which brought the U.K.'s National Health Service to a standstill and destroyed data on thousands of computers worldwide.
The Lazarus Group also attacked Sony Pictures in 2014 in retaliation for a comedy satirizing North Korean leader Kim Jong Un and tried to steal $1 billion from the Bank of Bangladesh in 2016.
"Lazarus has always existed at a special crossroads between APT and financial crime," says the Kaspersky report. "We can only speculate about the reason why they are now running solo ops: maybe they find it difficult to interact with the cybercrime underworld, or maybe they felt they could no longer afford to share their profits with third parties."
Unmasking the hackers
Initially, the creator behind VHD wasn’t known, but Kaspersky researchers have determined with “high confidence” that it is indeed the Lazarus Group “following analysis of an incident where it was used in close conjunction with known Lazarus tools against businesses in France and Asia”.
It’s believed that two incidents have taken place where this ransomware was used against targets. The first happened in Europe, and according to Kaspersky, it “did not give many hints as to who was behind it.”
However, the research team was determined to get to the bottom of the unknown creator as they had used “spreading techniques similar to those used by APT groups.”
“The attack did not fit the usual modus operandi of known big-game hunting groups," Kaspersky said. "The fact that a very limited number of VHD ransomware samples were available -- coupled with very few public references -- indicated that this ransomware family might not be traded widely on dark market forums, as would usually be the case.”
But when a second incident happened, the researchers started to join the dots and had a better understanding who was behind the ransomware.
“Among other things -- and most importantly -- the attackers used a backdoor, which was a part of a multiplatform framework called MATA, which Kaspersky recently reported on in-depth and is linked to the aforementioned threat actor due to a number of code and utility similarities,” they said.
“The established connection indicated that Lazarus was behind the VHD ransomware campaigns that have been documented so far.”
What’s particularly interesting about these incidents is they suggest that Lazarus has even bigger ambitions.
Kaspersky said: “This is also the first time it has been established that the Lazarus group has resorted to targeted ransomware attacks for financial gain, having created and solely operated its own ransomware, which is not typical in the cybercrime ecosystem.”
Ivan Kwiatkowski, senior security researcher at Kaspersky’s Global Research Analysis Team, warned: "The global ransomware threat is big enough as it is, and often has significant financial implications for victim organisations up to the point of rendering them bankrupt.
“The question we have to ask ourselves is whether these attacks are an isolated experiment or part of a new trend and, consequently, whether private companies have to worry about becoming victims of state-sponsored threat actors.
“Regardless, organizations need to remember that data protection remains important as never before -- creating isolated back-ups of essential data and investing in reactive defenses are absolute must-dos”.
- More: Stay anonymous and safer online with the best VPN