the use of techniques to move across a victim's internal network that were previously observed in past Lazarus campaigns
"The data we have at our disposal tends to indicate that the VHD ransomware is not a commercial off-the-shelf product; and as far as we know, the Lazarus group is the sole owner of the MATA framework. Hence, we conclude that the VHD ransomware is also owned and operated by Lazarus," Kaspersky researchers said today.
Fits in the bigger picture
What Kaspersky has discovered here fits in the bigger picture of the North Korean hacking landscape.
Based on numerous previous reports published over the past four years, North Korean hackers are usually divided into two categories -- (1) those who engage in cyber-espionage for intelligence purposes, and (2) those who engage in financial crime to raise funds for the Pyongyang government (which funds the US Treasury believes are used to support the country's weapons and missile programs).
The VHD attacks are, without a doubt, the work of the second group, which seeks to extort money from hacked organizations.
The difference between VHD and WannaCry is that VHD is better coded and that Lazarus operators appear to only deploy it sparingly, on the networks of high-profile companies from where they can demand huge ransoms to decrypt data -- in a tactic that's known today as "big game hunting."
The world's most famous and dangerous APT (state-developed) malware