North Korea’s Lazarus gang now targets companies with ransomware

State-backed hackers are now deploying VHD ransomware

Lazarus deploys VHD ransomware

As we are now heading towards the second half of 2020, it proves to be a rough year not only in medical or political but also in the cybersecurity field – it has seen a considerable rise in targeted ransomware attacks performed by multiple high-profile cybercriminal gangs. The notorious North Korean hacking group Lazarus now got into the illegal ransomware business as well, as was discovered by security researchers from Kaspersky.

According to a report published on Tuesday,[1], the APT is behind one of the most recently-released ransomware strains – VHD. Kaspersky researchers analyzed two instances of VHD ransomware[2] being deployed after unauthorized access was gained to the companies’ networks. Malware has only been used only a few times, and there are very few public references available.

This strain did not match the typical modus operandi of well-known groups – such as actors behind Maze, DoppelPaymer,[3] and others. Instead, experts’ attention was caught by the fact that that the deployment tactics firmly reminded those performed by APT groups. This also hinted that the malware was not widely distributed on the underground forums:

We felt that this attack did not fit the usual modus operandi of known big-game hunting groups. In addition, we were only able to find a very limited number of VHD ransomware samples in our telemetry, and a few public references. This indicated that this ransomware family might not be traded widely on dark market forums, as would usually be the case.

VHD ransomware is primitive but effective

VHD ransomware itself is not something special, as concluded by the Kaspersky research team. Written in C++, it performs very typical infection routine – deletes Shadow Volume Copies to prevent file redemption, stops MS Exchange and SQL server processes, and then locks all the data found on the network with a combination of AES-256 and RSA-2048 encryption algorithms.

One of the more interesting features of the ransomware is that it is capable of proceeding with the encryption routine if the process was initially interrupted. However, this function might be one of the downfalls, as researchers believe that it could help victims to recover some of the data:

For files larger than 16MB, the ransomware stores the current cryptographic materials on the hard drive, in clear text. This information is not deleted securely afterwards, which implies there may be a chance to recover some of the files.

The MATA platform is used for distribution

Lazarus, also known as Hidden Cobra, is a prolific hacking group that is believed to be sponsored by the North Korean government and is actively used for cyber-espionage and financial crime campaigns. The gang was previously linked to such attacks as Sony’s Operation Blockbuster in 2013,[4] the WannaCry outbreak in 2017, and many others. In 2019, the APT group began employing its own malware dubbed as Dacls,[5] also known as MATA, a framework of which was used in the second instance of a VHD ransomware attack.

Kaspersky said that threat actors broke into the network via an insecure VPN gateway. After gaining administrative privileges, they installed the backdoor and gained access to the Active Directory server. Later, hackers did not use a spreading utility but rather utilized and download utility – Dacls/MATA.

Based on this analysis, Kaspersky finalized the report with the following:

The data we have at our disposal tends to indicate that the VHD ransomware is not a commercial off-the-shelf product; and as far as we know, the Lazarus group is the sole owner of the MATA framework. Hence, we conclude that the VHD ransomware is also owned and operated by Lazarus.