- Joined
- May 15, 2016
- Messages
- 14,570
- Likes
- 2,645
- Points
- 1,730
The group has created its own ransomware to attack businesses.
The North Korean cybercriminal group Lazarus is actively using its VHD ransomware to attack enterprises. According to Kaspersky Lab specialists, VHD samples were first discovered in March-May 2020 during the investigation of two security incidents.
According to the LK report , in the first case, the ransomware was introduced into corporate networks using a brute-force attack tool spread over the SMB protocol, and in the second, using the malicious MATA framework, also known as Dacls.
In terms of functionality, VHD is standard ransomware. The program spreads over the hard disks connected to the attacked computer, encrypts files and deletes all System Volume Information folders, thereby depriving the victim of the opportunity to restore Windows. Moreover, VHD can “freeze” processes that can potentially protect important files from modification (for example, Microsoft Exchange or SQL Server).
The researchers found that an attack begins with exploiting vulnerabilities in VPN gateways. Having penetrated the attacked network, the attackers elevate their privileges on the compromised device and install a backdoor that is part of the malicious MATA framework. This backdoor gives attackers control over the Active Directory server, allowing them to deliver the VHD payload to all systems on the network using a Python downloader.
“We know that Lazarus is always looking for financial gain, but after WannaCry we never saw it go into ransomware. While it is clear that the group is far from other cybercriminal groups that use the principle of “fight and flight” in ransomware attacks, the fact that it has turned to these types of attacks is worrying, ”the authors of the report note.
__________________
The North Korean cybercriminal group Lazarus is actively using its VHD ransomware to attack enterprises. According to Kaspersky Lab specialists, VHD samples were first discovered in March-May 2020 during the investigation of two security incidents.
According to the LK report , in the first case, the ransomware was introduced into corporate networks using a brute-force attack tool spread over the SMB protocol, and in the second, using the malicious MATA framework, also known as Dacls.
In terms of functionality, VHD is standard ransomware. The program spreads over the hard disks connected to the attacked computer, encrypts files and deletes all System Volume Information folders, thereby depriving the victim of the opportunity to restore Windows. Moreover, VHD can “freeze” processes that can potentially protect important files from modification (for example, Microsoft Exchange or SQL Server).
The researchers found that an attack begins with exploiting vulnerabilities in VPN gateways. Having penetrated the attacked network, the attackers elevate their privileges on the compromised device and install a backdoor that is part of the malicious MATA framework. This backdoor gives attackers control over the Active Directory server, allowing them to deliver the VHD payload to all systems on the network using a Python downloader.
“We know that Lazarus is always looking for financial gain, but after WannaCry we never saw it go into ransomware. While it is clear that the group is far from other cybercriminal groups that use the principle of “fight and flight” in ransomware attacks, the fact that it has turned to these types of attacks is worrying, ”the authors of the report note.
__________________