Sunday, July 14, 2024

Lazarus Hacking Groups Behind the Targeted VHD Ransomware Attacks

Lazarus hacker group is known for its attack on Sony Pictures in 2014, the group is financially motivated and know to be active since 2009.

The Lazarus Group believed to be operated by the North Korean government, the group is designated as an advanced persistent threat due to intended nature, threat, and a wide array of methods.

Starting from the year 2020, targeted ransomware attacks are on the rise, researchers discovered the recent ransomware strain, called VHD, associated with an unfamiliar source.

APT Tactics with VHD Ransomware Attacks

Researchers observed a new ransomware campaign that uses APT groups spreading techniques deployed only in a limited number of instances.

Attackers use piggyback methods to spread the infection into the victim’s network and once they gain understanding about the target’s finances and IT structures they process the encryption.

Kaspersky researchers observed an incident in Europe that features the new ransomware family VHD and it uses written in C++ distributed APT group spreading technique.

The ransomware has nothing special, like other ransomware it “crawls all connected disks to encrypt files and delete any folder called System Volume Information. Also, it blocks process locking important files.”

The files are encrypted in the combination of AES-256 in ECB mode and RSA-2048 and it also includes a mechanism to resume ransomware if interested.

The ransomware also includes a spreading utility that propagates ransomware inside the network, the spreading utility contains a list of admin credentials that used to brute-force SMB service on every machine.

“Whenever a successful connection was made, a network share was mounted, and the VHD ransomware was copied and executed through WMI calls. This stood out to us as an uncharacteristic technique for cybercrime groups; instead, it reminded us of the APT campaigns Sony SPE, Shamoon and OlympicDestroyer, three previous wipers with worming capabilities.”

Researchers felt that attack did “not fit the usual modus operandi of known big-game hunting groups, also limited public samples found.”

In another incident, the attackers exploit a vulnerable VPN gateway that allows attackers to admin access and they deploy a backdoor to take over the Active Directory server and to deploy the ransomware.

“The data we have at our disposal tends to indicate that the VHD ransomware is not a commercial off-the-shelf product; and as far as we know, the Lazarus group is the sole owner of the MATA framework.”




The ransomware attacks now become an easy and malicious way of robbing individuals and company’s can cost billions of dollars not to mention the privacy and safety implications.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.


Latest articles

mSpy Data Breach: Millions of Customers’ Data Exposed

mSpy, a widely used phone spyware application, has suffered a significant data breach, exposing...

Advance Auto Parts Cyber Attack: Over 2 Million Users Data Exposed

RALEIGH, NC—Advance Stores Company, Incorporated, a prominent commercial entity in the automotive industry, has...

Hackers Using ClickFix Social Engineering Tactics to Deploy Malware

Cybersecurity researchers at McAfee Labs have uncovered a sophisticated new method of malware delivery,...

Coyote Banking Trojan Attacking Windows Users To Steal Login Details

Hackers use Banking Trojans to steal sensitive financial information. These Trojans can also intercept...

Hackers Created 700+ Fake Domains to Sell Olympic Games Tickets

As the world eagerly anticipates the Olympic Games Paris 2024, a cybersecurity threat has...

Japanese Space Agency Spotted zero-day via Microsoft 365 Services

The Japan Aerospace Exploration Agency (JAXA) has revealed details of a cybersecurity incident that...

Top 10 Active Directory Management Tools – 2024

Active Directory Management Tools are essential for IT administrators to manage and secure Active...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles