Connect with us

Hi, what are you looking for?



North Korean Hackers Operate VHD Ransomware, Kaspersky Says

The VHD ransomware family that emerged earlier this year is the work of North Korea-linked threat actor Lazarus, Kaspersky’s security researchers reveal.

The VHD ransomware family that emerged earlier this year is the work of North Korea-linked threat actor Lazarus, Kaspersky’s security researchers reveal.

Active for more than a decade and believed to be operating on behalf of the North Korean government, Lazarus has been associated with various financially-motivated attacks, such as those targeting cryptocurrency exchanges.

Several malware families have been attributed to Lazarus over the past several months, including new Mac malware families and the cross-platform malware framework MATA. Now, Kaspersky reveals that the threat actor is also operating the VHD ransomware, which has been observed in two campaigns in March and May 2020.

Although ransomware attacks were attributed to Lazarus in the past as well, security researchers demonstrated that in some cases the attribution was incorrect. Kaspersky’s researchers, however, are confident that the North Korean hackers have indeed added ransomware to their arsenal, targeting enterprises for financial gain.

“We have known that Lazarus has always been focused on financial gain, however, since WannaCry we had not really seen any engagement with ransomware,” said Ivan Kwiatkowski, senior security researcher at Kaspersky’s GReAT.

VHD ransomware was initially observed in an attack in Europe, propagating inside compromised networks by brute-forcing the SMB service of identified computers using a “list of administrative credentials and IP addresses specific to the victim,” Kaspersky says.

A network share would be mounted upon successfully connecting to a machine, and the ransomware copied and executed via WMI calls, a technique reminiscent of APT campaigns employing wipers with worming capabilities (such as OlympicDestroyer, Sony SPE, and Shamoon).

In an attack observed in May 2020, however, the VHD ransomware was deployed to all machines in the network using a Python downloader. For initial access, the hackers exploited a VPN vulnerability, after which they gained administrative privileges and deployed a backdoor to compromise the Active Directory server.

Advertisement. Scroll to continue reading.

The backdoor is a version of the multiplatform framework called MATA, which is also referred to as the Dacls RAT. The investigation into this incident, Kaspersky says, showed that a single threat actor was present in the victim’s network.

“The data we have at our disposal tends to indicate that the VHD ransomware is not a commercial off-the-shelf product; and as far as we know, the Lazarus group is the sole owner of the MATA framework. Hence, we conclude that the VHD ransomware is also owned and operated by Lazarus,” the security researchers say.

Lazarus, which has been engaged in financial crime activities alongside typical nation-state attacks, has likely decided to switch to solo operations because it finds it difficult to interact with other cybercriminals, or because it is no longer willing to share profits with others, Kaspersky notes.

“While it is obvious that the group cannot match the efficiency of other cybercriminal gangs with this hit-and-run approach to targeted ransomware, the fact that it has turned to such types of attacks is worrisome. The global ransomware threat is big enough as it is, and often has significant financial implications for victim organizations up to the point of rendering them bankrupt,” Kwiatkowski added.

Related: Several New Mac Malware Families Attributed to North Korean Hackers

Related: Was North Korea Wrongly Accused of Ransomware Attacks?

Related: U.S. Cyber Command Shares More North Korean Malware Variants

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...