The VHD ransomware family that emerged earlier this year is the work of North Korea-linked threat actor Lazarus, Kaspersky’s security researchers reveal.
Active for more than a decade and believed to be operating on behalf of the North Korean government, Lazarus has been associated with various financially-motivated attacks, such as those targeting cryptocurrency exchanges.
Several malware families have been attributed to Lazarus over the past several months, including new Mac malware families and the cross-platform malware framework MATA. Now, Kaspersky reveals that the threat actor is also operating the VHD ransomware, which has been observed in two campaigns in March and May 2020.
Although ransomware attacks were attributed to Lazarus in the past as well, security researchers demonstrated that in some cases the attribution was incorrect. Kaspersky’s researchers, however, are confident that the North Korean hackers have indeed added ransomware to their arsenal, targeting enterprises for financial gain.
“We have known that Lazarus has always been focused on financial gain, however, since WannaCry we had not really seen any engagement with ransomware,” said Ivan Kwiatkowski, senior security researcher at Kaspersky’s GReAT.
VHD ransomware was initially observed in an attack in Europe, propagating inside compromised networks by brute-forcing the SMB service of identified computers using a “list of administrative credentials and IP addresses specific to the victim,” Kaspersky says.
A network share would be mounted upon successfully connecting to a machine, and the ransomware copied and executed via WMI calls, a technique reminiscent of APT campaigns employing wipers with worming capabilities (such as OlympicDestroyer, Sony SPE, and Shamoon).
In an attack observed in May 2020, however, the VHD ransomware was deployed to all machines in the network using a Python downloader. For initial access, the hackers exploited a VPN vulnerability, after which they gained administrative privileges and deployed a backdoor to compromise the Active Directory server.
The backdoor is a version of the multiplatform framework called MATA, which is also referred to as the Dacls RAT. The investigation into this incident, Kaspersky says, showed that a single threat actor was present in the victim’s network.
“The data we have at our disposal tends to indicate that the VHD ransomware is not a commercial off-the-shelf product; and as far as we know, the Lazarus group is the sole owner of the MATA framework. Hence, we conclude that the VHD ransomware is also owned and operated by Lazarus,” the security researchers say.
Lazarus, which has been engaged in financial crime activities alongside typical nation-state attacks, has likely decided to switch to solo operations because it finds it difficult to interact with other cybercriminals, or because it is no longer willing to share profits with others, Kaspersky notes.
“While it is obvious that the group cannot match the efficiency of other cybercriminal gangs with this hit-and-run approach to targeted ransomware, the fact that it has turned to such types of attacks is worrisome. The global ransomware threat is big enough as it is, and often has significant financial implications for victim organizations up to the point of rendering them bankrupt,” Kwiatkowski added.