A group of hackers known for having associations with the government of North Korea has recently resurfaced.

However, it appears that the cybercriminal group Lazarus is mixing up its attack strategy and is reverting to using ransomware against its intended victims. A new report issued recently has outlined how the hacker group has ramped up its attack campaigns with the latest malware strains available, presenting an upgrade on previous editions employed.

In recent years, the government of North Korea has been linked to multiple active cybercriminal groups but among them, Lazarus – also referred to as Hidden Cobra and Zinc – is considered to be the most dangerous. The group is well-known for the world-famous Wannacry ransomware, which has successfully infected more than 300,000 computers around the world using Windows operating systems, accompanied by demands for payments made in cryptocurrency.

A new strain of cyberattack

A report published by Moscow-based cybersecurity experts at Kaspersky Lab reveals that the Lazarus group is now targeting victims with an all-new form of malware. The Russian researchers’ findings have attributed a recent wave of cyberattacks, made using a rarely seen malware strain called VHD, to the hackers.

The document indicates that VHD’s attack pattern involves crawling inter-connected disks so it can encrypt all files, while simultaneously deleting any folders containing features in Windows delivering restore points.

Specialists at Kaspersky commented that this form of malware is unique, stating that it doesn’t fit with the usual methods and techniques used by hackers targeting large enterprises and corporations. The researchers also discovered an exceptionally limited number of samples for VHD malware, suggesting that it has been custom-built and is not a product purchased on the dark web.

Modus operandi of a hacker group

According to the report provided by Kaspersky, based on the ransomware assaults it has tracked that are related to VHD thus far in 2020, Lazarus is exhibiting more finesse in delivering its attacks. The hacker group has spread the malware via the MATA framework – architecture far more advanced and capable of attacking Linux, macOS and Windows operating systems.

Past attacks have seen Lazarus target financial institutions and their systems with its hacks, sometimes successfully extracting sums that enter into hundreds of millions. Digital currency exchanges have often been selected as targets by the group. A report issued by Group-IB indicates Lazarus was behind the largest hack on this sector, where around $534 million was taken from Coincheck.

This recent shift into ransomware should be seen as a cause for concern according to Ivan Kwiatkowski, senior security researcher for Kaspersky, who commented:

“While it is obvious that the group cannot match the efficiency of other cybercriminal gangs with this hit-and-run approach to targeted ransomware, the fact that it has turned to such types of attacks is worrisome. The global ransomware threat is big enough as it is, and often has significant financial implications for victim organisations up to the point of rendering them bankrupt.”

The cybercriminal group was also allegedly responsible for the cyberattack on the Bangladesh Bank, which netted them $81 million, and the headline-stealing hack on Sony Pictures.