North Korea-Linked Lazarus APT is behind the VHD ransomware

Security experts from Kaspersky Lab reported that North Korea-linked hackers are attempting to spread a new ransomware strain known as VHD.

North Korean-linked Lazarus APT Group continues to be very active, the state-sponsored hackers are actively employing new ransomware, tracked as VHD, in attacks aimed at enterprises.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks. The group has been linked to several major cyber attacks, including the 2014 Sony Pictures hack, several SWIFT banking attacks since 2016, and the 2017 WannaCry ransomware infection.

Recently Kaspersky experts reported that Lazarus APT Group has used a new multi-platform malware framework, dubbed MATA, to target entities worldwide,

In a separate report, the researchers detailed VHD ransomware samples used by the group between March and May 2020. The samples have been deployed over the network of the target enterprises brute-forcing the SMB service on every discovered machine and using the MATA malware framework (aka Dacls).

Kaspersky researchers investigated two incidents where threat actors deployed the VHD ransomware, attackers’s TTPs were aligned with Lazarus’s ones.

According to Kaspersky, this ransomware implements the standard features of ransomware, experts noticed that it can also suspend processes that could prevent files from being encrypted (such as Microsoft Exchange or SQL Server).

The analysis of the attacks revealed that the VHD ransomware infection chain starting with the hackers gaining access to their victims’ network by exploiting vulnerable VPN gateways.

Then the attackers escalated their privileges on the compromised systems and installed a backdoor that is part of the MATA malware framework.

The attackers leverage the backdoor to control the Active Directory server and use it to deliver VHD ransomware to all systems in the target network within 10 hours using the help of a Python-based loader.

“The data we have at our disposal tends to indicate that the VHD ransomware is not a commercial off-the-shelf product; and as far as we know, the Lazarus group is the sole owner of the MATA framework. Hence, we conclude that the VHD ransomware is also owned and operated by Lazarus,” reads the report published by Kaspersky. “It’s obvious the group cannot match the efficiency of other cybercrime gangs with their hit-and-run approach to targeted ransomware.”

Kaspersky Lab researchers also published the Indicators of Compromise (IoCs) in their report.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.