North Korea-backed Lazarus creates new ransomware

Read time 3min 20sec

The notorious North Korean state-sponsored advanced persistent threat (APT) group called Lazarus has created its own ransomware and is using it against large entities for financial gain. 

This was revealed by research from Kaspersky, which claims that the ransomware named VHD can be attributed to threat group Lazarus with ‘high confidence’. VHD is designed to extort money from its victims, and is unusual due to its self-replication method, according to the Russian security company.

The move by the group, to create and distribute ransomware, indicates a change of strategy and signifies a readiness to enter the big hunt for financial gain, which Kaspersky says is highly unusual among state-sponsored APT groups. 

During March and April this year, a number of cyber security organisations, including Kaspersky, reported on VHD ransomware. Its malware’s use of a spreading utility compiled with victim-specific credentials was reminiscent of APT campaigns. Although at the time the actor behind the attacks was not determined, Kaspersky researchers linked the VHD ransomware to Lazarus following analysis of an incident where it was used in close conjunction with known Lazarus tools against businesses in France and Asia.

The question we have to ask ourselves is whether... private companies have to worry about becoming victims of state-sponsored threat actors.

Ivan Kwiatkowski, Kaspersky

Two separate investigations involving VHD ransomware were conducted between March and May 2020. While the first incident, which occurred in Europe, did not give many hints as to who was behind it, the spreading techniques similar to those used by APT groups kept the investigation team curious. Moreover, the attack did not fit the usual modus operandi of known big-game hunting groups.

In addition, the fact that a very limited number of VHD ransomware samples were available – coupled with very few public references – indicated that this ransomware family might not be traded widely on dark market forums, as would usually be the case, says Kaspersky.

The second incident involving VHD ransomware provided a full picture of the infection chain and enabled researchers to link the ransomware to Lazarus. Among other things, and most notably, the bad actors employed a backdoor, which was a part of a multiplatform framework called MATA, which ITWeb reported on last week, which was linked to Lazarus through a number of code and utility similarities.

This connection suggested that Lazarus was behind the VHD ransomware campaigns that have been documented so far. This is also the first time it has been established that the group has resorted to targeted ransomware attacks for financial gain, having created and solely operated its own ransomware, which is unusual in the cyber crime ecosystem.

Ivan Kwiatkowski, a senior security researcher at Kaspersky’s GReAT, says Kaspersky has known that Lazarus has always been focused on financial gain, however, since WannaCry the company had not seen any engagement with ransomware. He adds that while it is obvious that the group cannot match the efficiency of other cyber criminal gangs with this hit-and-run approach to targeted ransomware, the fact that it has turned to such types of attacks is concerning.

“The global ransomware threat is big enough as it is, and often has significant financial implications for victim organisations up to the point of rendering them bankrupt. The question we have to ask ourselves is whether these attacks are an isolated experiment or part of a new trend and, consequently, whether private companies have to worry about becoming victims of state-sponsored threat actors,” adds Kwiatkowski.

Irrespective, organisations need to remember that data protection remains more important than ever before – creating isolated back-ups of essential data and investing in reactive defences are absolute must-dos, he ends.

Login with