The VHD ransomware household that emerged earlier this 12 months is the work of North Korea-linked risk actor Lazarus, Kaspersky’s safety researchers reveal.

Energetic for greater than a decade and believed to be working on behalf of the North Korean authorities, Lazarus has been related to varied financially-motivated assaults, resembling these focusing on cryptocurrency exchanges.

A number of malware households have been attributed to Lazarus over the previous a number of months, together with new Mac malware households and the cross-platform malware framework MATA. Now, Kaspersky reveals that the risk actor can be working the VHD ransomware, which has been noticed in two campaigns in March and Might 2020.

Though ransomware assaults have been attributed to Lazarus up to now as effectively, safety researchers demonstrated that in some instances the attribution was incorrect. Kaspersky’s researchers, nevertheless, are assured that the North Korean hackers have certainly added ransomware to their arsenal, focusing on enterprises for monetary acquire.

“We have now identified that Lazarus has all the time been targeted on monetary acquire, nevertheless, since WannaCry we had not likely seen any engagement with ransomware,” stated Ivan Kwiatkowski, senior safety researcher at Kaspersky’s GReAT.

VHD ransomware was initially noticed in an assault in Europe, propagating inside compromised networks by brute-forcing the SMB service of recognized computer systems utilizing a “listing of administrative credentials and IP addresses particular to the sufferer,” Kaspersky says.

A community share can be mounted upon efficiently connecting to a machine, and the ransomware copied and executed by way of WMI calls, a method harking back to APT campaigns using wipers with worming capabilities (resembling OlympicDestroyer, Sony SPE, and Shamoon).

In an assault noticed in Might 2020, nevertheless, the VHD ransomware was deployed to all machines within the community utilizing a Python downloader. For preliminary entry, the hackers exploited a VPN vulnerability, after which they gained administrative privileges and deployed a backdoor to compromise the Energetic Listing server.

The backdoor is a model of the multiplatform framework referred to as MATA, which can be known as the Dacls RAT. The investigation into this incident, Kaspersky says, confirmed {that a} single risk actor was current within the sufferer’s community.

“The info we’ve at our disposal tends to point that the VHD ransomware will not be a industrial off-the-shelf product; and so far as we all know, the Lazarus group is the only real proprietor of the MATA framework. Therefore, we conclude that the VHD ransomware can be owned and operated by Lazarus,” the safety researchers say.

Lazarus, which has been engaged in monetary crime actions alongside typical nation-state assaults, has possible determined to modify to solo operations as a result of it finds it troublesome to work together with different cybercriminals, or as a result of it’s not keen to share earnings with others, Kaspersky notes.

“Whereas it’s apparent that the group can’t match the effectivity of different cybercriminal gangs with this hit-and-run method to focused ransomware, the truth that it has turned to such forms of assaults is worrisome. The worldwide ransomware risk is large enough as it’s, and sometimes has vital monetary implications for sufferer organizations as much as the purpose of rendering them bankrupt,” Kwiatkowski added.

Associated: A number of New Mac Malware Households Attributed to North Korean Hackers

Associated: Was North Korea Wrongly Accused of Ransomware Assaults?

Associated: U.S. Cyber Command Shares Extra North Korean Malware Variants

North Korean hackers are running VHD Ransomware, Kaspersky says
North Korean hackers are running VHD Ransomware, Kaspersky says
North Korean hackers are running VHD Ransomware, Kaspersky says

Ionut Arghire is a global correspondent for SecurityWeek.

Earlier Columns by Ionut Arghire:
North Korean hackers are running VHD Ransomware, Kaspersky saysTags: