The backdoor of the multi-platform malware framework MATA was used in VHD ransomware and exposed the APT group Lazarus as the backers of the.
During the analysis of two cases of VHD ransomware in attacks in Europe and Asia, Kaspersky researchers were able to assign them to the notorious North Korean APT group Lazarus. Both the development of ransomware and the financially motivated background of it indicate a change in strategy for the group; both are highly unusual for a government-sponsored APT group.
In March and April 2020 there were first reports of the so-called VHD ransomware, which is characterized by its self-replication ability and aims to extort money from its victims. Using a program compiled with victim-specific credentials to distribute the malware is similar to the procedure for APT campaigns. After analyzing an incident in which the VHD ransomware was used in close connection with known Lazarus tools against companies in France and Asia, Kaspersky researchers were able to link the ransomware with the APT group Lazarus.
The backdoor of the multi-platform malware framework MATA exposes the people behind it
Between March and May 2020, Kaspersky experts carried out two independent investigations into the VHD ransomware. In the first incident in Europe, there was little evidence of who was behind the attacks, but the spreading techniques were similar to those used by APT groups. In general, the attack was inconsistent with the usual practice of well-known groups aiming at large and important targets. In addition, the ransomware malware samples and published cases were very limited, suggesting that this family of malware may not be widely traded on underground forums, as is usually the case.
In the second attack in which VHD ransomware was used, however, the chain of infection could be traced; the researchers were able to link the malware to the Lazarus group. Among other things, those behind the attack used a backdoor that is part of the multi-platform MATA framework - which Kaspersky recently reported on in detail - and which can be assigned to this APT group due to similarities in the code and tools. According to data from Kaspersky telemetry, the victims infected by the MATA framework were in Germany, Poland, Turkey, Korea, Japan and India.
Encryption Trojan VHD: Findings from evaluated attacks
These findings suggest that Lazarus is behind the VHD ransomware campaigns discovered so far. The ransomware used was developed and operated by the group itself, which is quite unusual in the cybercrime environment.
"We knew that Lazarus' activities were always aimed at financial gain, but since WannaCry [4] there have been no ransomware-related activities from the group," comments Ivan Kwiatkowski, security researcher at Kaspersky's Global Research and Analysis Team (GReAT). . “While it is evident that the group cannot match the efficiency of other cybercriminals with this raid-type approach to ransomware, it is worrying that they have turned to this type of attack. The global ransomware threat is already big enough and often has a significant financial impact on victims, sometimes bankrupting them. The question we need to ask is whether these attacks are a one-off experiment or part of a new trend and therefore whether private companies need to worry about falling prey to state-sponsored threat actors. Regardless, organizations need to be aware that privacy is more important than ever. Backing up essential data and investing in reactive defenses is an absolute must.”
Kaspersky tips to protect you from ransomware attacks
- Train employees on how phishing spreads ransomware and what employees should look out for to avoid being compromised by ransomware. Special training concepts such as the Kaspersky Automated Security Awareness Platform can help here.
- Companies should ensure that all software solutions, applications and systems used are always up to date. Using a security solution with vulnerability and patch management functions such as Kaspersky Vulnerability and Patch Management helps identify unpatched vulnerabilities in your own network.
- Carry out regular cybersecurity audits of your own networks and eliminate any vulnerabilities discovered.
- All endpoints and servers should be protected with a comprehensive solution. A corresponding solution such as Kaspersky Integrated Endpoint Security combines endpoint security with sandbox and EDR functionality and thus enables protection against known and unknown threats.
- The security team should have the most up-to-date threat intelligence to keep abreast of new and emerging tools, techniques, and tactics from threat actors and cybercriminals.
- Ransomware is a criminal offense. Therefore, victim companies should never respond to ransom demands and not pay. Instead, the incident should be reported to local law enforcement agencies. There are also free decryption tools at nomoreransom.orgwho can restore the data if necessary.
More on this at Securelist.com from Kaspersky
About Kaspersky Kaspersky is an international cybersecurity company founded in 1997. Kaspersky's in-depth threat intelligence and security expertise serve as the basis for innovative security solutions and services to protect companies, critical infrastructures, governments and private users worldwide. The company's comprehensive security portfolio includes leading endpoint protection as well as a range of specialized security solutions and services to defend against complex and evolving cyber threats. Kaspersky technologies protect over 400 million users and 250.000 corporate customers. More information about Kaspersky can be found at www.kaspersky.com/