Lazarus—the North Korean state hacking group behind the WannaCry worm, the theft of $81 million from a Bangladesh bank, and the attacks on Sony Pictures—is looking to expand into the ransomware craze, according to researchers from Kaspersky Lab.
Like many of Lazarus early entries, the VHD ransomware is crude. It took the malware 10 hours to fully infect one targets network. It also uses some unorthodox cryptographic practices that arent “semantically secure,” because patterns of the original files remain after theyre encrypted. The malware also appears to have taken hold of one victim through a chance infection of its virtual private network.
In short, VHD is no Ryuk or WastedLocker. Both are known as “big game hunters” because they target networks belonging to organizations with deep pockets and, after gaining entry, strike only after doing days or weeks of painstaking surveillance.
“Its obvious the group cannot match the efficiency of other cybercrime gangs with their hit-and-run approach to targeted ransomware,” Kaspersky Lab researchers Ivan Kwiatkowski, Pierre Delcher, and Félix Aime wrote in a post. “Could they really set an adequate ransom price for their victim during the 10 hours it took to deploy the ransomware? Were they even able to figure out where the backups were located?”
An APT embraces ransomware
VHD first caught the researchers attention for two reasons. First, they had never seen the ransomware before. The other: its technique for spreading was uncharacteristic of cybercrime groups. Specifically, the ransomware tried to crack passwords for SMB file sharing on each machine it discovered and when successful used the Windows Management Instrumentation to execute itself onto network shares.
The approach more closely resembled those used in attacks against Sony Pictures, the Shamoon disk-wiping campaigns, and the OlympicDestroyer malware that disrupted the 2018 Winter Olympics. Researchers widely believe those attacks were carried out by government-backed hackers—often referred to as APTs or advanced persistent threats—from North Korea, Iran, and Russia respectively.
“We were left with more questions than answers,” the researchers wrote. “We felt that this attack did not fit the usual modus operandi of known big-game hunting groups. In addition, we were only able to find a very limited number of VHD ransomware samples in our telemetry, and a few public references. This indicated that this ransomware family might not be traded widely on dark market forums, as would usually be the case.”
After digging in further, the researchRead More – Source
[contf] [contfnew] 
arstechnica
[contfnewc] [contfnewc]
