• Admin

New Malware Exploits VPNs, Thanks To North Korea's Infamous Lazarus Group

Published: September 23, 2020 on our newsletter Security Fraud News & Alerts Newsletter.



The well-known Lazarus Group, with strong ties to North Korea, has released a new and little-known ransomware. It’s called VHD, and it’s a shift from the groups previous malware attacks that have grabbed hacking headlines since 2014. The change in strategy may be that Lazarus Group members are operating the entire attack and its components by themselves, different from previous attacks. The reason, Kaspersky researchers believe, is that Lazarus is getting rid of the middlemen to maximize their profits. After all, profits are the goal of ransomware attacks, and Lazarus Group has a history of being particularly good at them.


Although VHD has only been seen in two attacks in March and April of this year, both were handled by Kaspersky’s Incident Response Team. The first happened in France and the second in Asia. It’s the Asian attack that targeted a VPN (Virtual Private Network) gateway, exploiting its vulnerabilities to get administrative privileges. Once done, the hacking group created a backdoor that removed the need for access privileges, overtaking the enterprise Active Directory server. Doing so allowed VHD to spread to every device in the network in just 10 hours. Kaspersky believes VHD may be in early stages of development and improvements to the ransomware could follow. A Kaspersky researcher remarked “We’ll look at future incidents closely, as it will indicate whether this strategy paid off for them.”



Lazarus Group came to massive fame in 2014 with a fierce ransomware attack against Sony Pictures Entertainment. Sony was targeted, reportedly, after North Korean leader Kim Jong-un became aware the company was preparing to release a movie, “The Interview,” showing Kim in an unflattering light. A ransomware attack ensued that wiped out Sony’s data, released sensitive information about its executives, and generally held all data for ransom to block the film’s release, which it did temporarily.

The Group is also attributed with the 2017 WannaCry ransomware attack that crippled healthcare and other institutions in 47 countries with more than 45,000 attacks. The ransom demand was $300 in bitcoin that would double in three days if not paid. The threat ultimately claimed if the ransom wasn’t paid, all data would be permanently erased. In 2019, the U.S. furthered sanctions against North Korea for its hacking and cyber-espionage attacks. It is highly unlikely that will stop the behavior of this group. However, we continue to be reminded that cyber attackers are always looking for ways to change and improve their tactics. For the time being, ransomware is a popular way to grab headlines and a good payday.


Some good cyber-secure advice:

  • Backup systems, both at the office and at home. This may eliminate the need to pay a ransom to an attacker.

  • Install and keep antivirus software up to date on all systems, mobile included.

  • Keep a keen eye on phishing attempts. Look for email or text messages with misspelled words, grammatical errors, and from unknown senders. Don’t discount a message from a known sender as possible phishing, especially if it includes a link or attachment that isn’t expected.


Keep up to date: Sign up for our Fraud alerts and Updates newsletter

Want to schedule a conversation? Please email us at advisor@nadicent.com

1 view0 comments
  • Facebook
  • LinkedIn
  • Twitter

© 2020  by Sandra Ruiz Enterprises, LLC.   No animals were harmed in the creation of this website.  Nadicent Technologies, LLC |  2389 Main Street, Glastonbury CT 06033 | www.nadicent.com | advisor@nadicent.com  | 203-274-8466