Researchers Attribute Two Targeted Ransomware Attacks to the Lazarus Hacking Group

Lazarus VHD Ransomware

Hollywood would have you believe that hoodie-wearing teenage hackers can bring down entire corporate giants worth billions of dollars from the discomfort of their parents' basement. In the real world, however, things don't really work that way. Sophisticated cyberattacks are carried out by experienced criminals who have a lot of resources at their disposal.

Ransomware campaigns targeting specific organizations are extremely complicated operations that often involve several separate hacking crews that all work on different tasks. One team, for example, would be responsible for providing the Command & Control (C&C) infrastructure, a second one would compromise the victim's network, a third would ensure that as many computers as possible are infected, and a fourth one would be responsible for the actual ransomware payload. Researchers from Kaspersky described the system in greater detail in a blog post on Tuesday, but they also mentioned a couple of exceptions to the rule.

The VHD ransomware catches the experts' attention

The payload of the two cyberattacks Kaspersky's experts described was the VHD ransomware – a relatively new file-encrypting malware that appeared few months ago. The ransomware itself isn't especially sophisticated. It crawls through the hard drives of infected hosts, encrypting files with a combination of AES and RSA, and deleting system restore points in order to make retrieving the data more difficult. Several characteristics of the attacks did catch the researchers' attention, though.

The first one was launched in March, and the experts noticed that it involved a very interesting mechanism for spreading through the victim's network. With the help of an automated tool, the hackers used a list of victim-specific SMB credentials to brute-force their way to other computers, and after successfully connecting to them, they copied a VHD ransomware payload and executed it through WMI calls.

These aren't the techniques a run-of-the-mill hacking crew would use, and the experts knew that they were probably looking at something more serious. They felt the same way a couple of months later when they were called in to respond to another attack featuring the VHD ransomware.

This time, the initial point of entry was a vulnerable VPN gateway through which the hackers gained administrative privileges and deployed a backdoor. Having compromised the victim's Active Directory server, the criminals then proceeded to distribute copies of the VHD ransomware to an unspecified number of computers.

When they took a closer look at the backdoor, the researchers realized what they were dealing with exactly.

The Lazarus connection

The penny dropped when the researchers determined that the backdoor used during the second attack was an instance of what they call the MATA malware framework.

We have talked in the past about how hard attribution is in the cybersecurity world, but having researched it carefully, Kaspersky's experts are pretty much certain that the MATA framework was created and is used by the infamous Lazarus hacking group.

Lazarus is a team of sophisticated hackers responsible for quite a few massive cyberattacks, including the Sony leak from 2014 and the launch of the OlympicDestroyer wiper that paralyzed critical IT infrastructure ahead of the Winter Olympics in Pyeongchang in 2018. Lazarus is believed to be linked to the North Korean government, and its name has been associated with anything from financially-motivated attacks to major cyberespionage campaigns. According to Kaspersky, the VHD ransomware is their latest creation.

The ransomware might not be especially sophisticated, but it hasn't been seen in any other attacks, and the researchers are pretty certain that the hackers aren't renting it from another cybercrime gang. At the same time, they are pretty much sure that Lazarus is the only crew that has access to the tools and techniques used during the attacks in March and May.

Instead of sharing the profits with other cybercrime outfits, Lazarus has decided to go at it alone with the VHD ransomware. Only time will tell if this will be a good strategy, but, considering the group's illustrious portfolio of disruptive cyberattacks, we wouldn't bet against it. If you run an organization that might be targeted by Lazarus, you must make sure that a ransomware attack using the VHD ransomware is in your threat model.

July 29, 2020

Leave a Reply