Lazarus hackers, a notorious group of cybercriminals allegedly linked with the North Korean government have maintained their cryptocurrency extortion efforts active in the first half of 2020. Reports that emerged on July 28 reveal that new ransomware from North Korea is now designed to target big companies around the world.
In 2019, the hackers targeted many crypto exchanges and their illegal activities were published in a report by Chainalysis. One of their major attacks consisted of the development of a fictitious trading bot. The bot was delivered to employees who were working at the DragonEX exchange.
According to the findings acquired in March 2019, Lazarus hackers managed to steal almost $7 million in various crypto denominations from the Singapore-based exchange.
Last month, Cyfirma cybersecurity vendor warned that there is a high likelihood for the North Korean cybercriminal group to launch a major cryptocurrency phishing campaign. The campaign might attack six countries which will affect over five million individuals and companies.
But for now, no confirmed signs are indicating that the Lazarus hackers plan to launch the major widespread attack.
The Lazarus group is also known to have successfully stolen $571 million in cryptos since the start fo 2017 according to Group-IB. Data from Group-IB cyber-crime companies indicates that most of the targeted exchanges are based in South Korea. They include Bithumb, YouBit, and Coinrail.
In March 2020, the US Department of the Treasury’s Office of Foreign Assets Control, or OFAC, decided to sanction two individuals from China. These Chinese nationals faced allegations of laundering cryptocurrency that had come from a 2018 crypto exchange hack.
A New Ransomware Is Developed By Lazarus
A research performed by Kaspersky and whose findings were published on July 28, 2020, indicate that Lazarus has developed new ransomware. This new threat goes by the name Virtual Hard Disk (VHD) malware. It is designed to primarily target the internal networks of companies that operate in the economic sector.
VHD implements a mechanism to resume its activities whenever the encryption process is interrupted. In the case that the files involved are bigger than 16MB, the ransomware keeps all the current cryptographic data on the hard drive, in cleartext. That information and data are not deleted securely afterward. It means that there might be a possibility of recovering some of these files.
James McQuiggan who works as the security awareness advocate at KnowBe4 highlighted on how the VHD ransomware operates:
“A VHD, or Virtual Hard Disk, is a similar concept to that of a USB drive. Instead of physically inserting the USB drive into the port on a computer; the VHD file can be downloaded onto a system to launch the ransomware attack process. For cybercriminals, they don’t need physical access, just electronic access to download the file. This type of attack requires access to the systems. By exploiting external and vulnerable infrastructure or systems, they gain the access needed.”
The data acquired by Kaspersky tends to suggest that the VHD ransomware is not entirely a commercial off-the-shelf product. Since the Lazarus group is the only owner of the MATA framework, then, the VHD ransomware is also owned, managed, and operated by the hackers.
Lazarus Hackers’ Group Operating Solo Ops
Experts at Kaspersky speculated on the possible reasons behind Lazarus’s decision to operate solo ops:
“We can only speculate about the reason why they are now running solo ops; maybe they find it difficult to interact with the cybercrime underworld, or maybe they felt they could no longer afford to share their profits with third parties.”
The Lazarus hackers group mainly attacks company networks targeting to encrypt their data. After they launch their attacks successfully, they force the victim to send crypto-based ransom and in most cases, they ask for Monero (XMR) payments.