North Korea-Linked Lazarus APT is behind the VHD ransomware

Security experts from Kaspersky Lab reported that North Korea-linked hackers are attempting to spread a new ransomware strain known as VHD.

North Korean-linked Lazarus APT Group continues to be very active, the state-sponsored hackers are actively employing new ransomware, tracked as VHD, in attacks aimed at enterprises.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. The group has been linked to several major cyber attacks, including the 2014 Sony Pictures hack, several SWIFT banking attacks since 2016, and the 2017 WannaCry ransomware infection.

Recently Kaspersky experts reported that Lazarus APT Group has used a new multi-platform malware framework, dubbed MATA, to target entities worldwide,

In a separate report, the researchers detailed VHD ransomware samples used by the group between March and May 2020. The samples have been deployed over the network of the target enterprises brute-forcing the SMB service on every discovered machine and using the MATA malware framework (aka Dacls).

Kaspersky researchers investigated two incidents where threat actors deployed the VHD ransomware, attackers’s TTPs were aligned with Lazarus’s ones.

According to Kaspersky, this ransomware implements the standard features of ransomware, experts noticed that it can also suspend processes that could prevent files from being encrypted (such as Microsoft Exchange or SQL Server).

The analysis of the attacks revealed that the VHD ransomware infection chain starting with the hackers gaining access to their victims’ network by exploiting vulnerable VPN gateways.

Then the attackers escalated their privileges on the compromised systems and installed a backdoor that is part of the MATA malware framework.

The attackers leverage the backdoor to control the Active Directory server and use it to deliver VHD ransomware to all systems in the target network within 10 hours using the help of a Python-based loader.

“The data we have at our disposal tends to indicate that the VHD ransomware is not a commercial off-the-shelf product; and as far as we know, the Lazarus group is the sole owner of the MATA framework. Hence, we conclude that the VHD ransomware is also owned and operated by Lazarus,” reads the report published by Kaspersky. “It’s obvious the group cannot match the efficiency of other cybercrime gangs with their hit-and-run approach to targeted ransomware.”

Kaspersky Lab researchers also published the Indicators of Compromise (IoCs) in their report.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]