Multiple ransomware variants now linked to North Korean hackers

Ransomware strains have been now linked to the APT38 hacker group known for financial focus

North Korean hacker operationsFinancial institutions targeted by North Korean attackers that deploy various ransomware now

The hacker gan that targets financial institutions worldwide is reportedly associated with various new strains of ransomware. The virus that is used to get money from victims now seems to be in the hands of a North Korean-sponsored hacking group known for the particular focus on stealing funds from organizations.[1]

This group is also known for using other destructive malware during these campaigns in victims' networks.[2] It is deployed at the end of attacks, most likely, to destroy any traces of the cyber attack and avoid consequences or possible detection.

The particular links to the APT38 were discovered when the code of artifact similar to VHD ransomware got analyzed. The ransomware is similar to TFlower ransomware that is linked with operations of the North Korean Lazarus APT group.[3] It is reported that the group also used Beaf, PXJ, ZZZZ, and ChiChi ransomware pieces to attack victims and extort money all over the world.

Multiple connections after analysis

Sygnia and Kasperksy's research teams made the connection between a few strains of ransomware that got launched on networks via the cross-platform MATA malware framework. This malicious tool is used by the Lazarus group exclusively, according to the reports.[4]

Visualizing the code of other threats helped to see that ransomware strains a big amount of source code and functionality. This method confirmed the significant connection between VHD, TFlower, PXJ, ZZZZ, Beaf, and ChiChi variants. The latter have fewer common points, but it was revealed that the email address used by this threat as the contact email was also listed as one in ransom notes when ZZZZ ransomware was deployed.

These particular cryptocurrency extortion-based threats mainly targeted entities in the Asia-Pacific regions. There are no leak sites or particular negotiation chats that could be investigated further, so indicating victims is difficult. Even though the particular payments and transfers of cryptocurrency were investigated there is no overlap or connection to other hacker groups and criminals.[5]

North Korean hackers focusing on making a profit

It is discovered that these North Korean hackers were not able to make much money from the victims. Cryptocurrency assets show that some transfers in 2020 were equivalent to $20 000. These ransomware virus attacks might not be used as the primary way of making money.

It is believed that the deployment of these multiple ransomware trains is a part of the larger organized operations. Over the years, there have been a lot of attacks on financial institutions like global banks or blockchain providers. These infiltrations rely on spear-phishing methods, fake mobile apps, and other fake alerts, and emails.

These ransomware attacks might just be testing the waters, as Trellix report states:

Since these attacks were predominantly observed targeting the APAC[…] these attacks might have been executed to discover if ransomware is a valuable way of gaining income.

These North Korean hacker groups are well known, and Lazarus and APT38 are motivated to stay operating worldwide without detection or shutdown. These adaptive threat attacks allow them to use various tools and achieve particular goals for years. These findings might be updated with other strains.

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions