Lazarus—the North Korean state hacking group behind the WannaCry worm, the theft of $81 million from a Bangladesh bank, and the attacks on Sony Pictures—is looking to expand into the ransomware craze, according to researchers from Kaspersky Lab.
Like many of Lazarus’ early entries, the VHD ransomware is crude. It took the malware 10 hours to fully infect one target’s network. It also uses some unorthodox cryptographic practices that aren’t “semantically secure,” because patterns of the original files remain after they’re encrypted. The malware also appears to have taken hold of one victim through a chance infection of its virtual private network.
In short, VHD is no Ryuk or WastedLocker. Both are known as “big game hunters” because they target networks belonging to organizations with deep pockets and, after gaining entry, strike only after doing days or weeks of painstaking surveillance.
“It’s obvious the group cannot match the efficiency of other cybercrime gangs with their hit-and-run approach to targeted ransomware,” Kaspersky Lab researchers Ivan Kwiatkowski, Pierre Delcher, and Félix Aime wrote in a post. “Could they really set an adequate ransom price for their victim during the 10 hours it took to deploy the ransomware? Were they even able to figure out where the backups were located?”
An APT embraces ransomware
VHD first caught the researchers’ attention for two reasons. First, they had never seen the ransomware before. The other: its technique for spreading was uncharacteristic of cybercrime groups. Specifically, the ransomware tried to crack passwords for SMB file sharing on each machine it discovered and when successful used the Windows Management Instrumentation to execute itself onto network shares.
The approach more closely resembled those used in attacks against Sony Pictures, the Shamoon disk-wiping campaigns, and the OlympicDestroyer malware that disrupted the 2018 Winter Olympics. Researchers widely believe those attacks were carried out by government-backed hackers—often referred to as APTs or advanced persistent threats—from North Korea, Iran, and Russia respectively.
“We were left with more questions than answers,” the researchers wrote. “We felt that this attack did not fit the usual modus operandi of known big-game hunting groups. In addition, we were only able to find a very limited number of VHD ransomware samples in our telemetry, and a few public references. This indicated that this ransomware family might not be traded widely on dark market forums, as would usually be the case.”
After digging in further, the researchers found VHD using a backdoor based on MATA, a full-featured framework that runs on Windows, macOS, and Linux. In a post published last week, Kaspersky Lab offered evidence that strongly tied MATA to Lazarus. Calling the backdoor Dacls, researchers from Malwarebytes independently arrived at the same assessment.
“The data we have at our disposal tends to indicate that the VHD ransomware is not a commercial off-the-shelf product; and as far as we know, the Lazarus group is the sole owner of the MATA framework,” Kaspersky Lab researchers wrote. “Hence, we conclude that the VHD ransomware is also owned and operated by Lazarus.”
Lazarus’ use of VHD is consistent with the group’s pursuit of financially motivated crime, which as of last September, had reportedly generated $2 billion to fund the country’s weapons of mass destruction programs. As the researchers noted, VHD has a long way to go if it’s to catch up with the surgical and targeted strikes of more advanced ransomware.
“In the end, the only thing that matters is whether these operations turned a profit for Lazarus,” the researchers wrote. “Only time will tell whether they jump into hunting big game full time, or scrap it as a failed experiment.”