التكنولوجيا وأخبارها بوابة مصر لأخبار تكنولوجيا المعلومات والإتصالات
Incident analysis by Kaspersky of two cases in Europe and Asia has uncovered that VHD
ransomware–first discussed in public in spring 2020– is owned and operated by Lazarus, a
prominent North-Korean APT group. The move by Lazarus,to create and distribute
ransomware, signifies a change of strategy and indicatesa readiness to enter the big hunt
for financial gain, which is highly unusualamong state-sponsored APT groups.
In March and April 2020,a few cybersecurity organizations, including Kaspersky, reported
on VHD ransomware – a malicious program designed to extort money from its victims,
which stood out due to its self-replication method. This malware’s use of a spreading utility
compiled with victim-specific credentials was reminiscent of APT campaigns. While, at the
time, the actor behind the attacks was not determined, Kaspersky researchers linked the
VHD ransomware to Lazarus with high confidence following analysis of an incident where it
was used in close conjunction with known Lazarus tools against businesses in France and
Asia.
Two separate investigations involving VHD ransomware were conducted between March
and May 2020. While the first incident, which occurred in Europe, did not give many hints
as to who was behind it, the spreading techniques similar to those used by APT groups kept
the investigation team curious. In addition, the attack did not fit the usual modus operandi
of known big-game hunting groups. Also, the fact that a very limited number of VHD
ransomware samples were available – coupled with very few public references – indicated
that this ransomware family might not be traded widely on dark market forums, as would
usually be the case.
The second incident involving VHD ransomware provided a complete picture of the
infection chain and enabled the researchers to link the ransomware to Lazarus. Among
other things –and most importantly – the attackers used a backdoor, which was a part of a
multiplatform framework called MATA, which Kaspersky recently reported on in-depth and
is linked to the aforementioned threat actor due to a number of code and utility similarities.
The established connection indicatedthat Lazarus was behind the VHD ransomware
campaigns that have been documented so far.This is also the first time it has been established that the Lazarus group has resorted to targeted ransomware attacks for
financial gain, having created and solely operated its own ransomware, which is not typical
in the cybercrime ecosystem.
“We have known that Lazarus has always been focused on financial gain, however, since WannaCry we had not really seen any engagement with ransomware. While it is obvious that the group cannot match the efficiency of other cybercriminal gangs with this hit-and-run approach to targeted ransomware, the fact that it has turned to such types of attacks is worrisome. The global ransomware threat is big enough as it is, and often has significant financial implications for victim organizations up to the point of rendering them bankrupt. The question we have to ask ourselves is whether these attacks are an isolated experiment or part of a new trend and, consequently, whether private companies have to worry about becoming victims of state-sponsored threat actors,” comments Ivan Kwiatkowski, senior security researcher at Kaspersky’s GReAT. “Regardless, organizations need to remember
that data protection remains important as never before – creating isolated back-ups of
essential data and investing in reactive defensesare absolute must-dos”.
To help businesses stay protected from ransomware, experts also suggest taking the
following steps:
• Reduce the chance of ransomware getting through via phishing and negligence: explain
to employees how following simple rules can help a company avoidransomware incidents.
Dedicated training courses can help, such as the ones provided in the Kaspersky Automated
Security Awareness Platform.
• Ensure all software, applications, and systems are always up to date. Use a protection
solution with vulnerability and patch management features, to help identify yet unpatched
vulnerabilities in your network.
• Carry out a cybersecurity audit of your networks and remediate any weaknesses discovered in the perimeter or inside the network.
• Make sure the right protection is in place for all endpoints and servers, by adopting a
solution such as Kaspersky’s Integrated Endpoint Security solution. This combines endpoint security with sandbox and EDR functionality enabling effective protection from even new types of ransomware and instant visibility over the threats detected on corporate endpoints.
• Provide your security team with access to the latest threat intelligence to keep it up to date with new and emerging tools, techniques and tactics used by threat actors and cybercriminals.
• Ransomware is a criminal offense. If you become a victim, never pay the ransom. Instead, report the incident to your local law enforcement agency. Try to find a decryptor on the internet
