North Korean Hackers May Be Dabbling in Ransomware Again
The North Korean hackers allegedly behind the 2017 WannaCry
outbreak appear to be dipping their toes back into launching ransomware
attacks.
Kaspersky Lab investigated two attacks earlier this year
involving the VHD ransomware strain. Evidence left behind shows the culprits
used a unique hacking tool that’s been tied to other intrusions attributed to
the North Korean hacking known as Lazarus.
The attacks have Kaspersky Lab worried the country’s
state-sponsored hackers could be preparing other ransomware attacks. North
Korea has already been blamed for numerous cyber intrusions that have stolen
funds from banks and cryptocurrency exchanges. However, the country’s hackers have
generally refrained from resorting to ransomware, which can encrypt your
computer’s files, holding them hostage unless you pay a fee.
The one exception is WannaCry, which attacked hundreds of
thousands of vulnerable Windows machines in May 2017. While WannaCry excelled
at spreading across the globe, the actual ransomware component was shoddily
built, and could not tell which victims actually sent Bitcoin to pay off the
ransom.
The same assault only demanded victims pay $300 or $600 per
infected computer. Other high-profile ransomware attacks can demand six figures
or more when the malicious code is able to encrypt computers belonging to a
corporation or hospital.
“We have known that Lazarus has always been focused on
financial gain, however, since WannaCry we had not really seen any engagement
with ransomware,” Kaspersky Lab researcher Ivan Kwiatkowski said in a
statement.
However, this may no longer be the case. In March, Kaspersky
Lab investigated a Windows-based VHD ransomware incident that hit a victim in
Europe. “The ransomware itself is nothing special: it’s written in C++ and
crawls all connected disks to encrypt files and delete any folder called
'System Volume Information' (which are linked to Windows’ restore point
feature),” the security company wrote in its report.
Still, Kaspersky Lab noticed that VHD spread itself over the
victims' network through techniques North Korean hackers have used in past
attacks. In May, the security company then investigated a second VHD attack in
Asia, where the company was able to gather a complete picture of how the
ransomware strain infected and spread over the victim’s network. The evidence
revealed the use of the North Korean hacking tool, which acted as a backdoor.
In this instance, we believe initial access was achieved
through opportunistic exploitation of a vulnerable VPN gateway,” Kaspersky Lab
said. “After that, the attackers obtained administrative privileges, deployed a
backdoor on the compromised system and were able to take over the Active
Directory server. They then deployed the VHD ransomware to all the machines in
the network.”
Kaspersky is confident only one hacking group was inside the
victims' networks. However, other details about the attack remain a mystery.
For instance, Kaspersky Lab declined to identify the victims, or comment on how
much the VHD ransomware requested.
Still, the company does note one of the attacks was deployed
in a "hit-and-run" fashion involving the ransomware being deployed in
10 hours. Other ransomware attackers explore their victims' networks for days
or weeks to determine what to encrypt, and how much money to demand.
“The question we have to ask ourselves is whether these
attacks are an isolated experiment or part of a new trend and, consequently,
whether private companies have to worry about becoming victims of
state-sponsored threat actors,” Kwiatkowski added.
Comments
Post a Comment