Lazarus hacking group stealing data with a new ransomware strain known as VHD
Lazarus Hacking Group is a cybercrime group made up of an unknown number of individuals. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them over the last decade. Originally a criminal group, the group has now been designated as an advanced persistent threat due to the intended nature, threat, and a wide array of methods used when conducting an operation.
Kaspersky Lab reported in 2017 that Lazarus tended to concentrate on spying and infiltration cyberattacks whereas a sub-group within their organization, which Kaspersky called Bluenoroff, specialized in financial cyberattacks. Kaspersky found multiple attacks worldwide and a direct link (IP address) between Bluenoroff and North Korea.
Now researchers from Kaspersky Labs have found the hacking group stealing data with new ransomware known as VHD. They said that tools and techniques used during the two intrusions link the attackers to Lazarus Group.
“The data we have at our disposal tends to indicate that the VHD ransomware is not a commercial off-the-shelf product; and as far as we know, the Lazarus group is the sole owner of the MATA framework. Hence, we conclude that the VHD ransomware is also owned and operated by Lazarus,”
According to the researcher, the malware itself doesn’t stand out of the ordinary. During our first encounter with it, we felt like it was definitely recent and lacking in maturity. While Kaspersky’s report doesn’t mention the attackers’ motivation, the North Korean hackers are well-known for being financially motivated as shown by their campaigns
The ransomware also includes a spreading utility that propagates ransomware inside the network, the spreading utility contains a list of admin credentials that used to brute-force SMB service on every machine.
While analyzing their telemetry, Kaspersky’s researchers discovered that the hackers are using a malware loader to load an encrypted next-stage payload. “We’re not sure that the loaded payload is the orchestrator malware, but almost all victims have the loader and orchestrator on the same machine,” researcher.
In another incident, the attackers exploit a vulnerable VPN gateway that allows attackers to admin access and they deploy a backdoor to take over the Active Directory server and to deploy the ransomware. In these attacks, Lazarus Group has also avoided common steps in ransomware attacks: Its attackers don’t seem to be looking for backups, they’re not looking at financial documents to set an appropriate ransom price, and they’re not threatening to leak internal information.
For more news on tech and cybersecurity stay tuned on Android Rookies by subscribing to our newsletter from here.