Kaspersky: North Korean hackers are behind the VHD ransomware


North Korea

Antivirus maker Kaspersky said in a report today that hackers associated with the North Korean regime are behind a new ransomware strain known as VHD.

The report details two incidents to which Kaspersky was privy, where intruders gained access to companies’ networks and deployed the VHD ransomware.

Kaspersky experts say that tools and techniques used during the two intrusions link the attackers to Lazarus Group — a generic name given to hackers working for the Pyongyang regime.

This included:

  • the use of the MATA (Dacls) malware framework to deploy VHD as a final payload
  • the use of techniques to move across a victim’s internal network that were previously observed in past Lazarus campaigns

“The data we have at our disposal tends to indicate that the VHD ransomware is not a commercial off-the-shelf product; and as far as we know, the Lazarus group is the sole owner of the MATA framework. Hence, we conclude that the VHD ransomware is also owned and operated by Lazarus,” Kaspersky researchers said today.

Fits in the bigger picture

What Kaspersky has discovered here fits in the bigger picture of the North Korean hacking landscape.

Based on numerous previous reports published over the past four years, North Korean hackers are usually divided into two categories — (1) those who engage in cyber-espionage for intelligence purposes, and (2) those who engage in financial crime to raise funds for the Pyongyang government (which funds the US Treasury believes are used to support the country’s weapons and missile programs).

The VHD attacks are, without a doubt, the work of the second group, which seeks to extort money from hacked organizations.

Some of this group’s other money-raising activities included hacking banks, stealing funds from cryptocurrency exchanges, orchestrating ATM cashouts, running crypto-mining botnets, and even engaging in web skimming (Magecart) attacks to steal payment card data and resell it on carding forums.

Other activities also include Lazarus hackers breaking into company networks, stealing data, and then asking victims for a ransom not to publish their data online.

Seeing North Korean hackers engage in ransomware attacks is not surprising, since ransomware attacks are some of today’s most profitable cybercrime operations.

It is the hackers’ first foray into the scene. Western intelligence agencies have accused North Korea of creating and losing control of the WannaCry ransomware that spread virulently across the globe in May 2017.

The difference between VHD and WannaCry is that VHD is better coded and that Lazarus operators appear to only deploy it sparingly, on the networks of high-profile companies from where they can demand huge ransoms to decrypt data — in a tactic that’s known today as “big game hunting.”



Source link

Recent articles

Ohio Governor Says His Flawed Virus Test Shouldn’t Undercut New, Rapid Methods

Gov. Mike DeWine of Ohio, who last week tested positive for the coronavirus, then negative and then negative again, said on CNN on...

Egypt extends detention of Al Jazeera journalist Mahmoud Hussein | News

Egyptian authorities have extended the detention of Al Jazeera journalist Mahmoud Hussein by another 45 days. The extension on Sunday came more than 1,300...

Created with Blender 2.8: ‘Take on me’ cover: Arrangement for Flute orchestras

PiDi writes: 'Take on me' cover: Arrangement for Flute orchestras (Cover) Similar to the original video, it looks like a comic book. All image effects were...

Looks Like AT&T Cancelled Plans for WB Interactive Sale

Following months of reports about its sale, Warner Bros. Interactive Entertainment seems to be resting safely with AT&T for now, if comments by...

Leave a reply

Please enter your comment!
Please enter your name here