North Korean Hackers May Be Dabbling in Ransomware Again

The North Korean hackers allegedly behind the 2017 WannaCry outbreak appear to be dipping their toes back into launching ransomware attacks.

Kaspersky Lab investigated two attacks earlier this year involving the VHD ransomware strain. Evidence left behind shows the culprits used a unique hacking tool that’s been tied to other intrusions attributed to the North Korean hacking known as Lazarus. 

The attacks have Kaspersky Lab worried the country’s state-sponsored hackers could be preparing other ransomware attacks. North Korea has already been blamed for numerous cyber intrusions that have stolen funds from banks and cryptocurrency exchanges. However, the country’s hackers have generally refrained from resorting to ransomware, which can encrypt your computer’s files, holding them hostage unless you pay a fee.

The one exception is WannaCry, which attacked hundreds of thousands of vulnerable Windows machines in May 2017. While WannaCry excelled at spreading across the globe, the actual ransomware component was shoddily built, and could not tell which victims actually sent Bitcoin to pay off the ransom.

The same assault only demanded victims pay $300 or $600 per infected computer. Other high-profile ransomware attacks can demand six figures or more when the malicious code is able to encrypt computers belonging to a corporation or hospital. 

“We have known that Lazarus has always been focused on financial gain, however, since WannaCry we had not really seen any engagement with ransomware,” Kaspersky Lab researcher Ivan Kwiatkowski said in a statement.

However, this may no longer be the case. In March, Kaspersky Lab investigated a Windows-based VHD ransomware incident that hit a victim in Europe. “The ransomware itself is nothing special: it’s written in C++ and crawls all connected disks to encrypt files and delete any folder called 'System Volume Information' (which are linked to Windows’ restore point feature),” the security company wrote in its report.

Still, Kaspersky Lab noticed that VHD spread itself over the victims' network through techniques North Korean hackers have used in past attacks. In May, the security company then investigated a second VHD attack in Asia, where the company was able to gather a complete picture of how the ransomware strain infected and spread over the victim’s network. The evidence revealed the use of the North Korean hacking tool, which acted as a backdoor.

In this instance, we believe initial access was achieved through opportunistic exploitation of a vulnerable VPN gateway,” Kaspersky Lab said. “After that, the attackers obtained administrative privileges, deployed a backdoor on the compromised system and were able to take over the Active Directory server. They then deployed the VHD ransomware to all the machines in the network.”

Kaspersky is confident only one hacking group was inside the victims' networks. However, other details about the attack remain a mystery. For instance, Kaspersky Lab declined to identify the victims, or comment on how much the VHD ransomware requested.

Still, the company does note one of the attacks was deployed in a "hit-and-run" fashion involving the ransomware being deployed in 10 hours. Other ransomware attackers explore their victims' networks for days or weeks to determine what to encrypt, and how much money to demand.

“The question we have to ask ourselves is whether these attacks are an isolated experiment or part of a new trend and, consequently, whether private companies have to worry about becoming victims of state-sponsored threat actors,” Kwiatkowski added.