Whether their tactics are a test bed or a permanent policy remains to be seen, said worried researchers.

North-Korean advanced persistent threat group (APT) Lazarus has been implicated in two cases of ransomware in the spring 2020.

Incident analysis by Kaspersky of two cases in Europe and Asia has uncovered that VHD ransomware is owned and operated by Lazarus, a prominent North-Korean APT group.

The move by Lazarus to create and distribute ransomware signifies a change of strategy, and indicates a readiness to enter the big hunt for financial gain, which is highly unusual among state-sponsored APT groups, according to Kaspersky researchers.

In March and April 2020, a few cybersecurity firms, including Kaspersky, reported on VHD ransomware – a malicious program designed to extort money from its victims, which stood out due to its self-replication method. This malware’s use of a spreading utility compiled with victim-specific credentials, was reminiscent of APT campaigns. While the threat actor was not determined, Kaspersky researchers linked the VHD ransomware to Lazarus with high confidence following analysis of an incident where it was used in close conjunction with known Lazarus tools against businesses in France and Asia.

Sniffing out the clues

Two separate investigations involving VHD ransomware were conducted between March and May 2020.

The first incident occurred in Europe, but it did not give many hints as to who was behind it. But the spreading techniques similar to those used by APT groups kept the investigation team curious. Also, the attack did not fit the usual modus operandi of known big-game hunting groups. Finally, the fact that a very limited number of VHD ransomware samples were available—coupled with very few public references—indicated that this ransomware family may not have been traded widely on dark market forums, as would usually be the case.

The second incident involving VHD ransomware provided a complete picture of the infection chain and enabled the researchers to link the ransomware to Lazarus. Among other things, the attackers used a backdoor, which was a part of a multi-platform framework called MATA, which Kaspersky recently described in-depth and is linked to the aforementioned threat actor due to a number of code and utility similarities.

The established connection indicated that Lazarus was behind the VHD ransomware campaigns that have been documented so far. This is also the first time it has been established that the Lazarus group has resorted to targeted ransomware attacks for financial gain, having created and solely operated its own ransomware, which is not typical in the cybercrime ecosystem.

Change of tactic is “worrisome”

Said Ivan Kwiatkowski, senior security researcher, Kaspersky: “We have known that Lazarus has always been focused on financial gain. However, since WannaCry we had not really seen any engagement with ransomware. While it is obvious that the group cannot match the efficiency of other cybercriminal gangs with this hit-and-run approach to targeted ransomware, the fact that it has turned to such types of attacks is worrisome.”

The global ransomware threat is big enough as it is, and often has significant financial implications for victim organizations up to the point of rendering them bankrupt. “The question we have to ask ourselves is whether these attacks are an isolated experiment or part of a new trend and, consequently, whether private companies have to worry about becoming victims of state-sponsored threat actors,”  Kwiatkowski said.

Regardless, organizations need to remember that data protection remains important as never before—creating isolated back-ups of essential data and investing in reactive defenses are an absolute must-do, said the researcher.