Aurich Lawson / Getty
Lazarus—the North Korean state hacking group behind the WannaCry worm, the theft of $81 million from a Bangladesh financial institution, and the assaults on Sony Footage—is seeking to increase into the ransomware craze, based on researchers from Kaspersky Lab.
Like a lot of Lazarus’ early entries, the VHD ransomware is crude. It took the malware 10 hours to totally infect one goal’s community. It additionally makes use of some unorthodox cryptographic practices that aren’t “semantically safe,” as a result of patterns of the unique recordsdata stay after they’re encrypted. The malware additionally seems to have taken maintain of 1 sufferer via an opportunity an infection of its digital personal community.
Briefly, VHD is not any Ryuk or WastedLocker. Each are often known as “large recreation hunters” as a result of they aim networks belonging to organizations with deep pockets and, after gaining entry, strike solely after doing days or perhaps weeks of painstaking surveillance.
“It’s apparent the group can’t match the effectivity of different cybercrime gangs with their hit-and-run method to focused ransomware,” Kaspersky Lab researchers Ivan Kwiatkowski, Pierre Delcher, and Félix Aime wrote in a put up. “May they actually set an sufficient ransom worth for his or her sufferer in the course of the 10 hours it took to deploy the ransomware? Have been they even ready to determine the place the backups have been situated?”
An APT embraces ransomware
VHD first caught the researchers’ consideration for 2 causes. First, they’d by no means seen the ransomware earlier than. The opposite: its method for spreading was uncharacteristic of cybercrime teams. Particularly, the ransomware tried to crack passwords for SMB file sharing on every machine it found and when profitable used the Home windows Administration Instrumentation to execute itself onto community shares.
The method extra carefully resembled these utilized in assaults in opposition to Sony Footage, the Shamoon disk-wiping campaigns, and the OlympicDestroyer malware that disrupted the 2018 Winter Olympics. Researchers broadly imagine these assaults have been carried out by government-backed hackers—sometimes called APTs or superior persistent threats—from North Korea, Iran, and Russia respectively.
“We have been left with extra questions than solutions,” the researchers wrote. “We felt that this assault didn’t match the standard modus operandi of recognized big-game looking teams. As well as, we have been solely capable of finding a really restricted variety of VHD ransomware samples in our telemetry, and some public references. This indicated that this ransomware household won’t be traded broadly on darkish market boards, as would normally be the case.”
After digging in additional, the researchers discovered VHD utilizing a backdoor primarily based on MATA, a full-featured framework that runs on Home windows, macOS, and Linux. In a put up printed final week, Kaspersky Lab provided proof that strongly tied MATA to Lazarus. Calling the backdoor Dacls, researchers from Malwarebytes independently arrived on the similar evaluation.
“The info we’ve got at our disposal tends to point that the VHD ransomware just isn’t a business off-the-shelf product; and so far as we all know, the Lazarus group is the only real proprietor of the MATA framework,” Kaspersky Lab researchers wrote. “Therefore, we conclude that the VHD ransomware can also be owned and operated by Lazarus.”
Lazarus’ use of VHD is in keeping with the group’s pursuit of financially motivated crime, which as of final September, had reportedly generated $2 billion to fund the nation’s weapons of mass destruction applications. Because the researchers famous, VHD has a protracted technique to go if it’s to meet up with the surgical and focused strikes of extra superior ransomware.
“Ultimately, the one factor that issues is whether or not these operations turned a revenue for Lazarus,” the researchers wrote. “Solely time will inform whether or not they bounce into looking large recreation full time, or scrap it as a failed experiment.”