Kaspersky: North Korean hackers are behind the VHD ransomware

North Korean hackers return to actively deploying ransomware after the huge WannaCry debacle.
Written by Catalin Cimpanu, Contributor
North Korea

Antivirus maker Kaspersky said in a report today that hackers associated with the North Korean regime are behind a new ransomware strain known as VHD.

The report details two incidents to which Kaspersky was privy, where intruders gained access to companies' networks and deployed the VHD ransomware.

Kaspersky experts say that tools and techniques used during the two intrusions link the attackers to Lazarus Group -- a generic name given to hackers working for the Pyongyang regime.

This included:

  • the use of the MATA (Dacls) malware framework to deploy VHD as a final payload
  • the use of techniques to move across a victim's internal network that were previously observed in past Lazarus campaigns

"The data we have at our disposal tends to indicate that the VHD ransomware is not a commercial off-the-shelf product; and as far as we know, the Lazarus group is the sole owner of the MATA framework. Hence, we conclude that the VHD ransomware is also owned and operated by Lazarus," Kaspersky researchers said today.

Fits in the bigger picture

What Kaspersky has discovered here fits in the bigger picture of the North Korean hacking landscape.

Based on numerous previous reports published over the past four years, North Korean hackers are usually divided into two categories -- (1) those who engage in cyber-espionage for intelligence purposes, and (2) those who engage in financial crime to raise funds for the Pyongyang government (which funds the US Treasury believes are used to support the country's weapons and missile programs).

The VHD attacks are, without a doubt, the work of the second group, which seeks to extort money from hacked organizations.

Some of this group's other money-raising activities included hacking banks, stealing funds from cryptocurrency exchanges, orchestrating ATM cashouts, running crypto-mining botnets, and even engaging in web skimming (Magecart) attacks to steal payment card data and resell it on carding forums.

Other activities also include Lazarus hackers breaking into company networks, stealing data, and then asking victims for a ransom not to publish their data online.

Seeing North Korean hackers engage in ransomware attacks is not surprising, since ransomware attacks are some of today's most profitable cybercrime operations.

It is the hackers' first foray into the scene. Western intelligence agencies have accused North Korea of creating and losing control of the WannaCry ransomware that spread virulently across the globe in May 2017.

The difference between VHD and WannaCry is that VHD is better coded and that Lazarus operators appear to only deploy it sparingly, on the networks of high-profile companies from where they can demand huge ransoms to decrypt data -- in a tactic that's known today as "big game hunting."

The world's most famous and dangerous APT (state-developed) malware

Editorial standards