Lazarus Group Brings APT Tactics to Ransomware

lazarus group vhd ransomware

A new ransomware, VHD, was seen being delivered by the nation-state group’s multiplatform malware platform, MATA.

Targeted ransomware attacks are on the rise, usually perpetrated by financially motivated threat gangs, which often work in concert together. However, researchers said that a recent strain of ransomware, called VHD, can be linked to an unusual source: The Lazarus Group APT.

According to researchers from Kaspersky, the VHD ransomware has only been deployed in a handful of instances, with a limited number of samples showing up in the firm’s telemetry. There are also few public references.

This “doesn’t fit the usual modus operandi of known big-game hunting groups,” the researchers explained, in a blog post issued on Tuesday. “This indicated that this ransomware family might not be traded widely on dark market forums, as would usually be the case.” They added, “The data we have at our disposal tends to indicate that the VHD ransomware is not a commercial off-the-shelf product.”

Another indication that VHD is different was apparent from the start: An initial VHD incident in Europe involved a worm-like propagation technique reminiscent of APT groups.

“A spreading utility…contained a list of administrative credentials and IP addresses specific to the victim, and leveraged them to brute-force the SMB service on every discovered machine,” according to the post. “Whenever a successful connection was made, a network share was mounted, and the VHD ransomware was copied and executed through WMI calls. This stood out to us as an uncharacteristic technique for cybercrime groups; instead, it reminded us of the APT campaigns Sony SPE, Shamoon and OlympicDestroyer, three previous wipers with worming capabilities.”

All of this is a deviation from the known ransomware ecosystem, according to Kaspersky.

“Criminals [usually] piggyback on widespread botnet infections (for instance, the infamous Emotet and Trickbot malware families) to spread into the network of promising victims, and license ransomware ‘products’from third-party developers,” the researchers explained. “When the attackers have a good understanding of the target’s finances and IT processes, they deploy the ransomware on all the company’s assets and enter the negotiation phase.”

The VHD ransomware is written in C++ and encrypts files on all connected disks, the analysis determined. It also deletes any folder called “System Volume Information” (which are linked to Windows’ restore point feature). All of this is fairly non-descript, but VHD has two other aspects worth noting, Kaspersky researchers said.

“The program also stops processes that could be locking important files, such as Microsoft Exchange and SQL Server. Files are encrypted with a combination of AES-256 in ECB mode and RSA-2048,” researchers explained. “The ransomware uses Mersenne Twister as a source of randomness, but unfortunately for the victims the RNG is reseeded every time new data is consumed. Still, this is unorthodox cryptography, as is the decision to use the ‘electronic codebook’ (ECB) mode for the AES algorithm.”

VHD also implements a mechanism to resume operations if the encryption process is interrupted. For files larger than 16MB, the ransomware stores the current cryptographic materials on the hard drive, in clear text. Kaspersky pointed out that this information is not deleted securely afterwards, which implies there may be a chance to recover some of the files.

A second VHD case came to light two months later, where Kaspersky was able to learn more about VHD: Specifically, regarding its infection chain. The attack spent 10 hours in the infection phase, and Kaspersky was able to determine that initial access was achieved by exploiting a vulnerable VPN gateway.

“After that, the attackers obtained administrative privileges, deployed a backdoor on the compromised system and were able to take over the Active Directory server,” the researchers noted. “They then deployed the VHD ransomware to all the machines in the network. In this instance, there was no spreading utility, but the ransomware was staged through a downloader written in Python that we still believe to be in development.”

Crucially for attribution however, Kaspersky researchers were able to observe a backdoor used during the incident that turned out to be a version of a multipurpose malware framework called MATA, which targets Windows, Linux and macOS operating systems.

Kaspersky researchers recently uncovered MATA (a.k.a. Dacls) being used in a series of attacks involving the infiltration of corporate entities around the world in a quest to steal customer databases and distribute ransomware. The framework consists of several components, such as a loader, an orchestrator (which manages and coordinates the processes once a device is infected) and plugins. And according to artifacts in the code, Lazarus has been using it since spring 2018.

“The forensics evidence gathered during the incident response process is strong enough that we feel comfortable stating with a high degree of confidence that there was only a single threat actor in the victim’s network during the time of the [second VHD] incident,” according to the post. The researchers added, “and as far as we know, the Lazarus group is the sole owner of the MATA framework. Hence, we conclude that the VHD ransomware is also owned and operated by Lazarus.”

Interestingly, the researchers hypothesize that Lazarus is making a big change from its previous approach to cybercrime by mounting such an attack. North Korea-linked Lazarus, a.k.a. Hidden Cobra or APT 38, has been around since 2009. The APT has been linked to the highly destructive WannaCry attack that caused millions of dollars of economic damage in 2017, the SWIFT banking attacks, as well as the high-profile attack against Sony Pictures Entertainment in 2014. Its motivations range from statement-making to espionage to financial.

“Lazarus has always existed at a special crossroads between APT and financial crime, and there have long been rumors in the threat intelligence community that the group was a client of various botnet services,” they said. “We can only speculate about the reason why they are now running solo ops: maybe they find it difficult to interact with the cybercrime underworld, or maybe they felt they could no longer afford to share their profits with third parties….Only time will tell whether they jump into hunting big game full time, or scrap it as a failed experiment.”

Complimentary Threatpost Webinar: Want to learn more about Confidential Computing and how it can supercharge your cloud security? This webinar “Cloud Security Audit: A Confidential Computing Roundtable” brings top cloud-security experts together to explore how Confidential Computing is a game changer for securing dynamic cloud data and preventing IP exposure. Join us  Wednesday Aug. 12 at 2pm ET for this FREE live webinar.

Suggested articles