Incident analysis by Kaspersky of two cases in Europe and Asia has uncovered that VHD ransomware – first discussed in public in spring 2020 – is owned and operated by Lazarus, a prominent North-Korean APT group. The move by Lazarus, to create and distribute ransomware, signifies a change of strategy and indicates a readiness to enter the big hunt for financial gain, which is highly unusual among state-sponsored APT groups.
In March and April 2020, a few cybersecurity organizations, including Kaspersky, reported on VHD ransomware – a malicious program designed to extort money from its victims, which stood out due to its self-replication method. This malware’s use of a spreading utility compiled with victim-specific credentials was reminiscent of APT campaigns. While, at the time, the actor behind the attacks was not determined, Kaspersky researchers linked the VHD ransomware to Lazarus with high confidence following analysis of an incident where it was used in close conjunction with known Lazarus tools against businesses in France and Asia.
Two separate investigations involving VHD ransomware were conducted between March and May 2020. While the first incident, which occurred in Europe, did not give many hints as to who was behind it, the spreading techniques similar to those used by APT groups kept the investigation team curious. In addition, the attack did not fit the usual modus operandi of known big-game hunting groups. Also, the fact that a very limited number of VHD ransomware samples were available – coupled with very few public references – indicated that this ransomware family might not be traded widely on dark market forums, as would usually be the case.
The second incident involving VHD ransomware provided a complete picture of the infection chain and enabled the researchers to link the ransomware to Lazarus. Among other things –and most importantly – the attackers used a backdoor, which was a part of a multiplatform framework called MATA, which Kaspersky recently reported on in-depth and is linked to the aforementioned threat actor due to a number of code and utility similarities.
The established connection indicated that Lazarus was behind the VHD ransomware campaigns that have been documented so far. This is also the first time it has been established that the Lazarus group has resorted to targeted ransomware attacks for financial gain, having created and solely operated its own ransomware, which is not typical in the cybercrime ecosystem.
“We have known that Lazarus has always been focused on financial gain, however, since WannaCry we had not really seen any engagement with ransomware. While it is obvious that the group cannot match the efficiency of other cybercriminal gangs with this hit-and-run approach to targeted ransomware, the fact that it has turned to such types of attacks is worrisome. The global ransomware threat is big enough as it is, and often has significant financial implications for victim organizations up to the point of rendering them bankrupt. The question we have to ask ourselves is whether these attacks are an isolated experiment or part of a new trend and, consequently, whether private companies have to worry about becoming victims of state-sponsored threat actors,” comments Ivan Kwiatkowski, senior security researcher at Kaspersky’s GReAT. “Regardless, organizations need to remember that data protection remains important as never before – creating isolated back-ups of essential data and investing in reactive defenses are absolute must-dos”.
To help businesses stay protected from ransomware, experts also suggest taking the following steps:
• Reduce the chance of ransomware getting through via phishing and negligence: explain to employees how following simple rules can help a company avoid ransomware incidents. Dedicated training courses can help, such as the ones provided in the Kaspersky Automated Security Awareness Platform.
• Ensure all software, applications, and systems are always up to date. Use a protection solution with vulnerability and patch management features, to help identify yet unpatched vulnerabilities in your network.
• Carry out a cybersecurity audit of your networks and remediate any weaknesses discovered in the perimeter or inside the network.
• Make sure the right protection is in place for all endpoints and servers, by adopting a solution such as Kaspersky’s Integrated Endpoint Security solution. This combines endpoint security with sandbox and EDR functionality enabling effective protection from even new types of ransomware and instant visibility over the threats detected on corporate endpoints.
• Provide your security team with access to the latest threat intelligence to keep it up to date with new and emerging tools, techniques and tactics used by threat actors and cybercriminals.
• Ransomware is a criminal offense. If you become a victim, never pay the ransom. Instead, report the incident to your local law enforcement agency. Try to find a decryptor on the internet – you will find some available at https://www.nomoreransom.org/en/index.html
Learn more about the described incidents involving VHD ransomware on Securelist.com.