Aurich Lawson / Getty
Lazarus – the North Korean state-owned hacking group behind the WannaCry worm, the $ 81 million theft by a Bangladeshi bank and the attacks on Sony Pictures – wants to increase the ransomware craze, according to researchers at Kaspersky Lab.
Like many of Lazarus' early entries, VHD ransomware is crude. It took 10 hours for the malware to completely infect a target's network. Some unorthodox cryptographic practices are also used that are not "semantically secure" because the patterns of the original files are preserved after encryption. The malware also appears to have caught a victim by accidentally infecting their virtual private network.
In short, VHD is not a Ryuk or WastedLocker. Both are known as "big game hunters" because they target networks of deep pocket organizations and only take days or weeks of careful surveillance after entry.
"It is evident that the group cannot reconcile the efficiency of other cybercrime gangs with their hit-and-run approach to targeted ransomware," wrote Kaspersky Lab researchers Ivan Kwiatkowski, Pierre Delcher and Félix Aime in a post. “Could you really set a reasonable ransom price for your victim in the 10 hours it took to deploy the ransom software? Could you even find out where the backups were? "
An APT includes ransomware
VHD initially caught the researchers' attention for two reasons. First, they had never seen the ransomware before. The other: the spreading technique was atypical for cybercrime groups. In particular, the ransomware attempted to crack passwords for SMB file sharing on every discovered computer and, if successful, used Windows management instrumentation to run itself on network shares.
The approach was more similar to that used to attack Sony Pictures, Shamoon's disk wipe campaign, and the OlympicDestroyer malware that disrupted the 2018 Winter Olympics. Researchers widely believe that these attacks were carried out by government-sponsored hackers from North Korea, Iran, and Russia, often referred to as APTs or advanced persistent threats.
"We had more questions than answers," wrote the researchers. “We felt that this attack did not fit the usual practice of well-known big game hunting groups. In addition, we could only find a very limited number of VHD ransomware examples and some public references in our telemetry. This indicated that this ransomware family may not be widespread in dark market forums as it would normally be. "
After delving further, the researchers found that VHD uses a back door based on MATA, a full-featured framework that runs on Windows, MacOS, and Linux. In a post released last week, Kaspersky Lab offered evidence that strongly linked MATA to Lazarus. Malwarebytes researchers called the backdoor dacls and came to the same assessment independently.
“The data available to us indicate that VHD ransomware is not a standard commercial product. As far as we know, the Lazarus group is the sole owner of the MATA framework, ”wrote the researchers at Kaspersky Lab. "We therefore conclude that the VHD ransomware also belongs to Lazarus and is operated by him."
Lazarus & # 39; use of VHD is in line with the group's pursuit of financially motivated crime, which reportedly generated $ 2 billion last September to fund the country's weapons of mass destruction program. As the researchers found, VHD still has a long way to go to make the surgical and targeted attacks of more advanced ransomware.
"In the end, the only thing that matters is whether these operations are profitable for Lazarus," the researchers wrote. "Only time will tell if they start hunting big game full-time or scrap it as a failed experiment."