Kaspersky finds Lazarus is now operating its own ransomware

Press release content from Business Wire. The AP news staff was not involved in its creation.

WOBURN, Mass.–(BUSINESS WIRE)–Jul 28, 2020–

Incident analysis by Kaspersky[1] of two cases in Europe and Asia has uncovered that VHD ransomware[2] – first discussed in public in spring 2020 – is owned and operated by Lazarus, a prominent APT group. The move by Lazarus to create and distribute ransomware signifies a change of strategy and indicates a willingness to engage in big game hunting in pursuit of financial gain, which is highly unusual among state-sponsored APT groups.

In March and April 2020, a few cybersecurity organizations, including Kaspersky, reported on VHD ransomware – a malicious program designed to extort money from its victims, which stood out due to its self-replication method. This malware’s use of a spreading utility, compiled with victim-specific credentials, was reminiscent of APT campaigns. While the actor behind the attacks was not determined, Kaspersky researchers have now linked the VHD ransomware to Lazarus with high confidence, following analysis of an incident where it was used in close conjunction with known Lazarus tools against businesses in France and Asia.

Two separate investigations involving VHD ransomware were conducted between March and May 2020. While the first incident, which occurred in Europe, did not give many hints as to who was behind it, the spreading techniques similar to those used by APT groups kept the investigation team curious. In addition, the attack did not fit the usual modus operandi of known big-game hunting groups. Also, the fact that a very limited number of VHD ransomware samples were available, coupled with very few public references, indicated that this ransomware family might not be traded widely on dark market forums, as would usually be the case.

The second incident involving VHD ransomware provided a complete picture of the infection chain and enabled the researchers to link the ransomware to Lazarus. Among other things –and most importantly – the attackers used a backdoor, which was a part of a multiplatform framework called MATA[3], which Kaspersky recently reported on in-depth and is linked to the aforementioned threat actor due to a number of code and utility similarities.

The established connection indicated that Lazarus was behind the VHD ransomware campaigns that have been documented so far. This is also the first time it has been established that the Lazarus group has resorted to targeted ransomware attacks for financial gain, having created and solely operated its own ransomware, which is not typical in the cybercrime ecosystem.

“We have known that Lazarus has always been focused on financial gain, however, since WannaCry we had not really seen any engagement with ransomware,” said Ivan Kwiatkowski, senior security researcher at Kaspersky’s GReAT. “While it is obvious that the group cannot match the efficiency of other cybercriminal gangs with this hit-and-run approach to targeted ransomware, the fact that it has turned to such types of attacks is worrisome. The global ransomware threat is big enough as it is, and often has significant financial implications for victim organizations up to the point of rendering them bankrupt. The question we have to ask ourselves is whether these attacks are an isolated experiment or part of a new trend and, consequently, whether private companies have to worry about becoming victims of state-sponsored threat actors. Regardless, organizations need to remember that data protection remains important as never before – creating isolated back-ups of essential data and investing in reactive defenses are absolute must-dos.”

To help businesses stay protected from ransomware, experts also suggest taking the following steps:

  • Reduce the chance of ransomware getting through via phishing and negligence: explain to employees how following simple rules can help a company avoid ransomware incidents. Dedicated training courses can help, such as the ones provided in the Kaspersky Automated Security Awareness Platform[4].
  • Ensure all software, applications, and systems are always up to date. Use a protection solution with vulnerability and patch management features to help identify yet unpatched vulnerabilities in your network.
  • Carry out a cybersecurity audit of your networks and remediate any weaknesses discovered in the perimeter or inside the network.
  • Make sure the right protection is in place for all endpoints and servers by adopting a solution such as Kaspersky’s Integrated Endpoint Security[5] solution. This combines endpoint security with sandbox and EDR functionality, enabling effective protection from even new types of ransomware and instant visibility over the threats detected on corporate endpoints.
  • Provide your security team with access to the latest threat intelligence[6] to keep it up to date with new and emerging tools, techniques and tactics used by threat actors and cybercriminals.
  • Ransomware is a criminal offense. If you become a victim, never pay the ransom. Instead, report the incident to your local law enforcement agency. Try to find a decryptor on the internet – you will find some available at https://www.nomoreransom.org/en/index.html[7].

Learn more about the described incidents involving VHD ransomware on Securelist.com[8].

About Kaspersky

Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 250,000 corporate clients protect what matters most to them. Learn more at usa.kaspersky.com[9].

View source version on businesswire.com:https://www.businesswire.com/news/home/20200728005659/en/[10]


Sawyer Van Horn


(781) 503-1866



SOURCE: Kaspersky

Copyright Business Wire 2020.

PUB: 07/28/2020 10:30 AM/DISC: 07/28/2020 10:30 AM



  1. ^ Kaspersky (cts.businesswire.com)
  2. ^ VHD ransomware (cts.businesswire.com)
  3. ^ MATA (cts.businesswire.com)
  4. ^ Kaspersky Automated Security Awareness Platform (cts.businesswire.com)
  5. ^ Integrated Endpoint Security (cts.businesswire.com)
  6. ^ threat intelligence (cts.businesswire.com)
  7. ^ https://www.nomoreransom.org/en/index.html (cts.businesswire.com)
  8. ^ Securelist.com (cts.businesswire.com)
  9. ^ usa.kaspersky.com (cts.businesswire.com)
  10. ^ https://www.businesswire.com/news/home/20200728005659/en/ (www.businesswire.com)

Source URL: Read More
The public content above was dynamically discovered – by graded relevancy to this site’s keyword domain name. Such discovery was by systematic attempts to filter for “Creative Commons“ re-use licensing and/or by Press Release distributions. “Source URL” states the content’s owner and/or publisher. When possible, this site references the content above to generate its value-add, the dynamic sentimental analysis below, which allows us to research global sentiments across a multitude of topics related to this site’s specific keyword domain name. Additionally, when possible, this site references the content above to provide on-demand (multilingual) translations and/or to power its “Read Article to Me” feature, which reads the content aloud to visitors. Where applicable, this site also auto-generates a “References” section, which appends the content above by listing all mentioned links. Views expressed in the content above are solely those of the author(s). We do not endorse, offer to sell, promote, recommend, or, otherwise, make any statement about the content above. We reference the content above for your “reading” entertainment purposes only. Review “DMCA & Terms”, at the bottom of this site, for terms of your access and use as well as for applicable DMCA take-down request.

Acquire this Domain
You can acquire this site’s domain name! We have nurtured its online marketing value by systematically curating this site by the domain’s relevant keywords. Explore our content network – you can advertise on each or rent vs. buy the domain. Buy@TLDtraders.com | Skype: TLDtraders | +1 (475) BUY-NAME (289 – 6263). Thousands search by this site’s exact keyword domain name! Most are sent here because search engines often love the keyword. This domain can be your 24/7 lead generator! If you own it, you could capture a large amount of online traffic for your niche. Stop wasting money on ads. Instead, buy this domain to gain a long-term marketing asset. If you can’t afford to buy then you can rent the domain.

About Us
We are Internet Investors, Developers, and Franchisers – operating a content network of several thousand sites while federating 100+ eCommerce and SaaS startups. With our proprietary “inverted incubation” model, we leverage a portfolio of $100M in valued domains to impact online trends, traffic, and transactions. We use robotic process automation, machine learning, and other proprietary approaches to power our content network. Contact us to learn how we can help you with your online marketing and/or site maintenance.