Lazarus Group Reportedly Deploys VHD Ransomware on Victims

The Lazarus hacking group has grown to become one of the most popular in the tech and crypto industries. After a series of hacks over the years and links to the government of North Korea, the hacking group might be taking another swing at potential victims.

Lazarus is Still Going Strong

Recently, Russian internet security firm Kaspersky Labs sent out a warning that the Lazarus group has launched a multipurpose malware tool to target computer networks. Per the report, the tool — which Kaspersky named MATA — could now attack computers, regardless of their operating system. 

Kaspersky Labs explained that it had uncovered the campaign after noticing its use in two separate attacks earlier in the year. While it didn’t go into detail concerning the attacks, it confirmed that they had been different from other Lazarus phishing operations.

The group’s apparent use of the VHD ransomware, which is self-spreading and can encrypt all the information on victims’ computers, was most prominent. Kaspersky noted that the ransomware was used to compromise some businesses in Europe between March and May.

 “Among other things –and most importantly – the attackers used a backdoor, which was a part of a multiplatform framework called MATA, which Kaspersky recently reported on in-depth and is linked to the aforementioned threat actor,” Kaspersky said.

The VHD ransomware completely locks out the victim from their computer. Then, it displays a message offering to decrypt the information as soon as the victim makes a Bitcoin payment. Kaspersky adds that while it hadn’t determined the actor behind the attacks, it was confident that the VHD ransomware had links to the Lazarus group.

Exploiting the COVID-19 Crisis

The Lazarus group has been quite active this year, with the organization joining its peers to take advantage of the increased reliance on the internet due to the coronavirus pandemic.

Last month, cybersecurity vendor Cyfirma published a report where it warned about a massive phishing campaign that the organization was planning to launch. Per the report, the attack would target six nations and about five million individuals and businesses.

Cyfirma explained that the group planned to hit Japan, Singapore, India, South Korea, the United Kingdom, and the United States. The company planned to capitalize on people receiving payments that were to be used to mitigate the coronavirus crisis.

More specifically, the group had allegedly been using fake emails to impersonate government accounts. They would ask their victims to visit counterfeit websites and ask for money to save their data.

A company spokesperson also told Cointelegraph that they had found an early indicator of a folder called “Health-Problem-2020,” with hackers planning to deploy them on the countries listed above. He added that the group planned to use social engineering tactics to lure individuals and businesses into divulging their financial and personal information.

“Citizens and business owners are in desperate need of these government fiscal support packages and chances of them falling prey to this phishing attack is very high,” he clarified.

The spokesperson added that Cyfirma had alerted the vulnerable countries’ governments to be aware of the potential threat.