North Korean Hackers Create Ransomware to Steal Your Cash

North Korean Hackers Create Ransomware to Steal Your Cash

Notorious North Korean hacking group Lazarus Group is now targeting victims with home-made ransomware in an effort to enter the "hunt for the big boys."

This is according to an investigation by Russian cybersecurity firm Kaspersky, which in a new report has exposed the Lazarus Group as the threat actor behind the VHD ransomware.

First reported by Russian security researchers in the spring of 2020, VHD ransomware is different from other forms of ransomware because it is used to extract money from victims and utilizes a "self-replicating method" that is not commonly seen in regular cybercrime-oriented malware. different from other forms of ransomware.

"The malware used a spreading utility compiled with victim-specific credentials, reminiscent of an APT campaign," Kaspersky researchers said in a media release. [APT stands for "Advanced Persistent Threat," which generally means that the attacker is not part of a money-making criminal group, but is sponsored or supported by a state with political or strategic motives.

Kaspersky suggested that "Lazarus' move to create and distribute ransomware represents a change in strategy and indicates that it is ready to enter the big hunt for financial gain."

The Lazarus Group is one of the most reckless and destructive hacking groups in existence; it created the 2017 WannaCry worm, which shut down the UK National Health Service and destroyed data on thousands of computers worldwide.

The Lazarus Group also attacked Sony Pictures in 2014 in retaliation for a satirical comedy about North Korean leader Kim Jong-un and attempted to steal $1 billion from Bangladesh Bank in 2016.

"Lazarus has always existed at a particular intersection between APT and financial crime," says the Kaspersky report. 'We can only speculate as to why they are currently running their operations alone. They may find it difficult to interact with the cybercrime underworld, or they may feel that they can no longer afford to share their interests with third parties.

North Korea or not, the best way to avoid falling victim to ransomware is to use the best antivirus program and store your data on the best cloud backup service.

Initially, the creator behind the VHD was not known, but Kaspersky researchers, "following analysis of incidents used in close association with known Lazarus tools against French and Asian companies," determined that it was indeed the Lazarus group determined with "a high degree of confidence."

Two incidents are believed to have occurred in which this ransomware was used against targets; the first occurred in Europe and, according to Kaspersky, "did not give much indication as to who was behind it."

However, the investigation team was determined to get to the bottom of the unknown creator because it was using "spreading methods similar to those used by the APT group."

"The attack did not fit the usual modus operandi of known big game hunting groups," Kaspersky said. "The fact that a very limited number of VHD ransomware samples were available--coupled with very few public references--indicated that this family of ransomware may not have been widely traded in dark market forums under normal circumstances.

However, when the second incident occurred, researchers began to connect the dots and better understand who was behind this ransomware.

"Among other things - and most importantly - the attackers used a backdoor, which was part of a multi-platform framework called MATA.

"The connections established indicated that Lazarus was behind the previously documented VHD ransomware campaign. [What is particularly interesting about these incidents is that they suggest that Lazarus has even greater ambitions.

Kaspersky states: "It has also been proven for the first time that the Lazarus group has resorted to targeted ransomware attacks for financial gain.

Ivan Kwiatkowski, a senior security researcher on Kaspersky's global research and analysis team, warned: "The global ransomware threat is large enough in its current state to have a significant financial impact that often drives victim organizations into bankruptcy. . often with significant financial consequences"

.

"The question we must ask ourselves is whether these attacks are an isolated experiment or part of an emerging trend, and by extension, whether we must worry about private companies becoming victims of state-sponsored threat actors.

"Nonetheless, organizations must remember that data protection is more important than ever.

.

Categories