Security Experts:

Connect with us

Hi, what are you looking for?



North Korean Hackers Operate VHD Ransomware, Kaspersky Says

The VHD ransomware family that emerged earlier this year is the work of North Korea-linked threat actor Lazarus, Kaspersky’s security researchers reveal.

The VHD ransomware family that emerged earlier this year is the work of North Korea-linked threat actor Lazarus, Kaspersky’s security researchers reveal.

Active for more than a decade and believed to be operating on behalf of the North Korean government, Lazarus has been associated with various financially-motivated attacks, such as those targeting cryptocurrency exchanges.

Several malware families have been attributed to Lazarus over the past several months, including new Mac malware families and the cross-platform malware framework MATA. Now, Kaspersky reveals that the threat actor is also operating the VHD ransomware, which has been observed in two campaigns in March and May 2020.

Although ransomware attacks were attributed to Lazarus in the past as well, security researchers demonstrated that in some cases the attribution was incorrect. Kaspersky’s researchers, however, are confident that the North Korean hackers have indeed added ransomware to their arsenal, targeting enterprises for financial gain.

“We have known that Lazarus has always been focused on financial gain, however, since WannaCry we had not really seen any engagement with ransomware,” said Ivan Kwiatkowski, senior security researcher at Kaspersky’s GReAT.

VHD ransomware was initially observed in an attack in Europe, propagating inside compromised networks by brute-forcing the SMB service of identified computers using a “list of administrative credentials and IP addresses specific to the victim,” Kaspersky says.

A network share would be mounted upon successfully connecting to a machine, and the ransomware copied and executed via WMI calls, a technique reminiscent of APT campaigns employing wipers with worming capabilities (such as OlympicDestroyer, Sony SPE, and Shamoon).

In an attack observed in May 2020, however, the VHD ransomware was deployed to all machines in the network using a Python downloader. For initial access, the hackers exploited a VPN vulnerability, after which they gained administrative privileges and deployed a backdoor to compromise the Active Directory server.

The backdoor is a version of the multiplatform framework called MATA, which is also referred to as the Dacls RAT. The investigation into this incident, Kaspersky says, showed that a single threat actor was present in the victim’s network.

“The data we have at our disposal tends to indicate that the VHD ransomware is not a commercial off-the-shelf product; and as far as we know, the Lazarus group is the sole owner of the MATA framework. Hence, we conclude that the VHD ransomware is also owned and operated by Lazarus,” the security researchers say.

Lazarus, which has been engaged in financial crime activities alongside typical nation-state attacks, has likely decided to switch to solo operations because it finds it difficult to interact with other cybercriminals, or because it is no longer willing to share profits with others, Kaspersky notes.

“While it is obvious that the group cannot match the efficiency of other cybercriminal gangs with this hit-and-run approach to targeted ransomware, the fact that it has turned to such types of attacks is worrisome. The global ransomware threat is big enough as it is, and often has significant financial implications for victim organizations up to the point of rendering them bankrupt,” Kwiatkowski added.

Related: Several New Mac Malware Families Attributed to North Korean Hackers

Related: Was North Korea Wrongly Accused of Ransomware Attacks?

Related: U.S. Cyber Command Shares More North Korean Malware Variants

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...