VHD ransomware is owned and operated by Lazarus group, researchers find

The first reports of VHD ransomware had appeared in March this year

The North Korea-linked Lazarus APT group is behind the little-known VHD ransomware that was used in attacks earlier this year.

That's according to the researchers from cyber security firm Kaspersky, who arrived at the conclusion after investigating several VHD cases, in which attackers were able to deploy ransomware in targeted companies' networks.

The first reports of VHD ransomware appeared in March 2020, when it was spotted using a self-replication technique, along with victim-specific credentials, to extort money from its victim.

The researchers found that this malicious programme was not available on hacker forums, and was rather specifically designed for targeted attacks. The tools and techniques used by VHD malware suggested that it was likely part of some advanced persistent threat (APT) campaign.

The first incident, which was reported in Europe, did not give many indications about which group was behind the VHD malware, although researchers did notice the malicious code that was used by attackers to spread VHD over the targeted network.

The ransomware had at its disposal lists of IP addresses of the systems to be targeted, as well as credentials for admin accounts. The data was used to launch brute-force attacks on the SMB service, and if it managed to connect to the network folder of another machine using the SMB protocol, it immediately copied and executed itself to encrypt that machine also.

The second case of VHD infection was reported in May, where Kaspersky researchers found that attackers gained initial access to the target network by exploiting a vulnerable VPN gateway.

Further analysis of the VHD tools revealed that attackers had used a backdoor that was a part of a multiplatform MATA framework.

This analysis also revealed that it is written in C++ and is designed to encrypt files on all connected disks. It also deletes "System Volume Information" folders, which are linked to Windows' restore point feature.

All these findings led Kaspersky researchers to conclude that VHD is another tool of the Lazarus group. The researchers also believe that by mounting such an attack, Lazarus is making a big change from its previous approach to cybercrime.

Lazarus, also known as Hidden Cobra, became widely known in 2014 when it hacked Sony Pictures over the film The Interview, a comedy centring on the assassination of North Korean leader Kim Jong-un.

According to cyber security firm Group-IB, this notorious group stole more than $600 million worth of cryptocurrency in 2017 and 2018.

In May, researchers from cyber security firm Malwarebyes claimed that they had identified a new variant of the Dacls Remote Access Trojan (RAT) specifically designed by Lazarus to target devices running Mac operating system (macOS).

Earlier this month, researchers from cyber security firm Sansec warned that Lazarus was planting skimmers on US and European retail websites in efforts to steal payment card details of unsuspecting shoppers.

The researchers claimed that the group has developed a global exfiltration network that uses hijacked websites to transfer stolen assets to attackers.