Lazarus Group Brings APT Tactics to Ransomware

2020-07-28 21:20

"Whenever a successful connection was made, a network share was mounted, and the VHD ransomware was copied and executed through WMI calls. This stood out to us as an uncharacteristic technique for cybercrime groups; instead, it reminded us of the APT campaigns Sony SPE, Shamoon and OlympicDestroyer, three previous wipers with worming capabilities."

The VHD ransomware is written in C++ and encrypts files on all connected disks, the analysis determined.

"They then deployed the VHD ransomware to all the machines in the network. In this instance, there was no spreading utility, but the ransomware was staged through a downloader written in Python that we still believe to be in development."

Kaspersky researchers recently uncovered MATA being used in a series of attacks involving the infiltration of corporate entities around the world in a quest to steal customer databases and distribute ransomware.

The researchers added, "And as far as we know, the Lazarus group is the sole owner of the MATA framework. Hence, we conclude that the VHD ransomware is also owned and operated by Lazarus."

News URL

https://threatpost.com/lazarus-group-apt-tactics-ransomware/157815/

#lazarusgroup #ransomware #APT