Another Ransomware in the Lazarus Arsenal

The Lazarus Group makes the news again with the VHD ransomware.

What’s going on?

According to research by Kaspersky, the North Korea-linked Lazarus APT group has been spotted using its own ransomware called VHD. The connection was established by researchers during the analysis of attacks conducted by Lazarus on businesses in Asia and France.   

Links to North Korean hacker group

  • The infection chain commenced with the threat actors gaining access to the target networks after exploiting vulnerable VPN gateways.
  • The privileges on the compromised network were escalated and a backdoor was installed, which is a part of the MATA malware framework.
  • This framework was associated with the North Korea-based Lazarus Group based on the one-of-a-kind orchestrator filenames used in versions of the Manuscrypt Trojan or Volgmer.
  • VHD was linked with Lazarus based on the tools leveraged to deploy the ransomware as a part of the two attacks analyzed and the lateral movement techniques used by the threat actors.

Stay safe, but how?

  • Ensure all systems, software, and applications are updated with latest security patches.
  • Conduct a cybersecurity audit of organizational networks and remediate vulnerabilities discovered in the perimeter or inside the network.
  • Ensure that the security teams are powered with the latest threat intelligence and TTPs.

The bottom line

Lazarus has always been financially motivated and has targeted many large global organizations over the years. However, since the notorious WannaCry, Lazarus has largely not been engaged with ransomware until now. It is expected that these recent attacks are part of an emerging trend, pushing organizations to take preemptive security measures against such state-sponsored threats.