Security News > 2020 > July > North Korean Hackers Operate VHD Ransomware, Kaspersky Says

The VHD ransomware family that emerged earlier this year is the work of North Korea-linked threat actor Lazarus, Kaspersky's security researchers reveal.

Several malware families have been attributed to Lazarus over the past several months, including new Mac malware families and the cross-platform malware framework MATA. Now, Kaspersky reveals that the threat actor is also operating the VHD ransomware, which has been observed in two campaigns in March and May 2020.

Kaspersky's researchers are confident that the North Korean hackers have indeed added ransomware to their arsenal, targeting enterprises for financial gain.

"We have known that Lazarus has always been focused on financial gain since WannaCry we had not really seen any engagement with ransomware," said Ivan Kwiatkowski, senior security researcher at Kaspersky's GReAT. VHD ransomware was initially observed in an attack in Europe, propagating inside compromised networks by brute-forcing the SMB service of identified computers using a "List of administrative credentials and IP addresses specific to the victim," Kaspersky says.

"The data we have at our disposal tends to indicate that the VHD ransomware is not a commercial off-the-shelf product; and as far as we know, the Lazarus group is the sole owner of the MATA framework. Hence, we conclude that the VHD ransomware is also owned and operated by Lazarus," the security researchers say.

News URL

http://feedproxy.google.com/~r/Securityweek/~3/us70DXHX2mI/north-korean-hackers-operate-vhd-ransomware-kaspersky-says