The notorious state-backed Lazarus cyber crew is behind a ransomware strain dubbed VHD, signaling a change in tactics to create and distribute its own hijacking malware to rip off big businesses, security specialist Kaspersky said in a new report.
While Lazarus is known for stealing money, it has not previously been connected to big game ransomware, a shift that Kaspersky called “highly unusual” for state-sponsored advanced persistent threat (APT) groups.
There’s some notable recent history here that illuminates what Kaspersky calls its “high confidence level” that Lazarus is pulling the VHD strings. Kaspersky was among a number of cybersecurity providers to call out the ransomware last spring, in particular for its method to self-replicate.
At that point, no one had a lead on who owned and operated VHD. But two VHD ransomware incidents, one in France and another in Asia, left behind some clues. First, the France attack did not fit the usual methods of known big-game hunting groups; and, the limited number of VHD ransomware samples left behind and the few public references tipped off Kaspersky that the variant may not be widely traded on dark web marketplaces. That made it an outlier.
The Asia incident enabled Kaspersky’s researchers to link the ransomware to Lazarus:
- The attackers used a backdoor, which was a part of the MATA malware framework, to deliver the VHD payload.
- Techniques used to move across a victim's internal network were seen in past Lazarus campaigns.
“The question we have to ask ourselves is whether these attacks are an isolated experiment or part of a new trend and, consequently, whether private companies have to worry about becoming victims of state-sponsored threat actors," said Ivan Kwiatkowski, a Kaspersky senior security researcher.
Lazarus has a sordid past. The group has been tied to the $81 million heist from the Bangladesh Central Bank in 2016, the infamous attack on Sony Pictures in 2014 that cost the studio millions, and the destructive WannaCry ransomware assault in 2017. In 2018, Lazarus engineered dozens of large cyber robberies on automated teller machines (ATMs) to make off with millions of dollars in a two-year wave of cyber burglaries.
“We have known that Lazarus has always been focused on financial gain, however, since WannaCry we had not really seen any engagement with ransomware,” Kwiatkowski said. “While it is obvious that the group cannot match the efficiency of other cyber criminal gangs with this hit-and-run approach to targeted ransomware, the fact that it has turned to such types of attacks is worrisome,” he said.
Kaspersky reiterated an action item list to safeguard against ransomware attacks that cybersecurity experts have repeatedly recommended:
- Reduce the chance of ransomware getting through via phishing and negligence. Explain to employees how following simple rules can help a company avoid ransomware incidents.
- Put dedicated cybersecurity training and awareness courses on the menu.
- Ensure all software, applications, and systems are always up to date. Use a protection solution with vulnerability and patch management features to help identify yet unpatched vulnerabilities in your network.
- Carry out a cybersecurity audit of your networks and remediate any weaknesses discovered in the perimeter or inside the network.
- Provide your security team with access to the latest threat intelligence to keep it up to date with new and emerging tools, techniques and tactics used by threat actors and cyber criminals.
Kaspersky has long advocated that organizations should never pay the ransom if victimized by a cyber kidnapping. The vendor favors reporting the incident to local law enforcement and trying to find a decryptor on the internet.