Written by Shannon Vavra
While cybercriminals have been ramping up their ransomware attacks against businesses, schools, and governments, rarely have state-backed hackers relied on ransomware to make a buck. But in recent months it appears that government hackers from North Korea want a piece of the pie, too, according to Kaspersky research.
In two incidents earlier this year affecting two businesses — one in France and one in Asia — hackers tied to the Lazarus Group deployed a little-known ransomware strain called VHD, which is designed to steal money from victims.
A few characteristics tipped off Kaspersky researchers to Lazarus Group’s operations — Kaspersky found few public references and samples of VHD ransomware in their telemetry, indicating the strain was likely not the work of a cybercriminal.
Additionally, in one of the intrusions, the researchers noted a spreading utility — which would allow it to proliferate within victim networks — was compiled with credentials specific to the victim. This particular functionality bore a resemblance to attacks where the malware was “wormable,” such as Sony, Shamoon or Olympic Destroyer, Kaspersky researchers said.
Of course, it’s no surprise that North Korean hackers would run cyber-operations oriented towards collecting funds. In the face of increasingly stringent economic sanctions, North Korean government hackers have been running financially-motived hacking heists.
North Korean government-linked hackers have been accused of using ransomware before, such as in the notoriously sloppy 2017 WannaCry ransomware attack that affected hundreds of thousands of computers in hundreds of countries.
A sloppy history
The ransomware attacks Kaspersky has been tracking this year show the government hackers may be using a little more finesse to achieve their financial goals. In one of the intrusions, the hackers used a backdoor intrinsic to a more polished malware framework linked with Lazarus Group, known as the MATA framework, Kaspersky researchers said.
The use of the framework, which shows the North Korean government hackers working to deliver malware in a more systematic, simple way, is a sign that the more amateurish days of WannaCry — in which the hackers somehow left in a built-in “kill switch” for the ransomware and didn’t collect that many funds in the end — may be over for Lazarus Group.
Since WannaCry, North Korean hackers have avoided using ransomware, focusing more on efforts to breach international financial payment systems such as SWIFT or cryptocurrency entities. Moving back to ransomware would mark a significant shift in North Korean hacking tactics, says Ivan Kwiatkowski, a senior security researcher at Kaspersky.
“While it is obvious that the group cannot match the efficiency of other cybercriminal gangs with this hit-and-run approach to targeted ransomware, the fact that it has turned to such types of attacks is worrisome,” Kwiatkowski said in a statement. “The global ransomware threat is big enough as it is, and often has significant financial implications for victim organizations up to the point of rendering them bankrupt. The question we have to ask ourselves is whether these attacks are an isolated experiment or part of a new trend and, consequently, whether private companies have to worry about becoming victims of state-sponsored threat actors.”