Operators of VHD Ransomware Unveiled

A state-sponsored threat group has created its own ransomware and is using it against large organizations for financial gain. 

New research published today by Kaspersky claims that a strain of ransomware named VHD, first detected in the Spring, can be attributed to threat group Lazarus with “high confidence.”

Lazarus is a state-sponsored cyber-criminal organization operating with the support of North Korea.

The link between VHD and Lazarus was made during the analysis of a recent cyber-attack targeting businesses in France and Asia. Analysts found that the companies had simultaneously been hit with known Lazarus tools in conjunction with the newly created ransomware.  

Researchers subsequently concluded that it was Lazarus that had created the ransomware and that it was now using it to hit large organizations, a practice known as big-game hunting. 

“The move by Lazarus to create and distribute ransomware signifies a change of strategy and indicates a willingness to engage in big game hunting in pursuit of financial gain, which is highly unusual among state-sponsored APT groups,” said a Kaspersky spokesperson.

VHD ransomware was first reported on in March and April 2020, when it stood out due to its self-replication method. 

“This malware’s use of a spreading utility, compiled with victim-specific credentials, was reminiscent of APT campaigns,” said Kaspersky. 

Researchers found that the attackers using VHD had used a backdoor that was a part of a multi-platform framework called MATA. A number of code and utility similarities link this platform to Lazarus. 

“We have known that Lazarus has always been focused on financial gain, however, since WannaCry we had not really seen any engagement with ransomware,” said Ivan Kwiatkowski, senior security researcher at Kaspersky’s GReAT. 

“The question we have to ask ourselves is whether these attacks are an isolated experiment or part of a new trend and, consequently, whether private companies have to worry about becoming victims of state-sponsored threat actors."

Kwiatkowski advised organizations to avoid becoming ransomware victims by taking preemptive action.

He said: “Organizations need to remember that data protection remains important as never before — creating isolated backups of essential data and investing in reactive defenses are absolute must-dos.”

What’s Hot on Infosecurity Magazine?