As the dark web becomes multi-national, US government agencies are racing to identify who are responsible for the latest ransomware attacks.
Dark Web Coalition
Cybercriminals have been collaborating for decades and over the past few years have developed a highly sophisticated underground network. The cybercriminal underground is most often referred to as the Dark Web. Dark Web founders are always seeking new recruits to carry out their organization’s malicious plans. It’s widely known that these APT groups are growing and gaining momentum at an incredible rate. For a detailed spreadsheet of current APT Groups, click here. The NSA, CISA DHS, and FBI are tirelessly trying to keep pace with new APT groups from around the world.
Lazarus Group aka Hidden Cobra
An increasingly aggressive group known as the Lazarus Group is suspected to be the developers of the latest VHD ransomware. The Lazarus Group, aka Hidden Cobra, is known to be supported by North Korea. Early attacks from the APT group were aimed at gathering PII, sabotage and retaliation. One notable attack by Hidden Cobra was in 2014, against Sony Pictures Entertainment by breaching personal emails and gaining PII of nearly 4,000 employees. More recently the attacks using VHD have been centered around Bitcoin Exchange, the financial sector and technology. In 2016, the Bangladesh Bank was targeted and lost $81 million to the Lazarus Group. Individual APT group objectives can be somewhat unclear, but for the Lazarus Group it is clearly monetary. Trade restrictions from the United States has also placed a massive strain on North Korea’s economy. By restricting trade to North Korea, the United States could potentially become a target for a massive network attack. For an in-depth list of North Korean cyber activity, click here.
Cyberattacks are ever changing and almost impossible to predict, the challenge is keeping up with the cyber actor’s purpose and approach. By identifying vector patterns cybersecurity agencies can begin to categorize malicious intent and predict possible targets. Often malicious malware is repurposed, so it looks and acts the same as its predecessor. Malware that has already been tested is more likely to be recycled, rather than to develop an entirely new program. As malware is being tested and reused government researchers and developers also gain the opportunity to identify possible correlations between attacks.
The CISA has contributed to the analysis of VHD ransomware, which features Trojan malware related to “HOPLIGHT.” VHD ransomware was first recognized in March 2020, by its self-replicating feature, backdoor access (MATA) and specific VPN gateways. For full article, click here.
VHD ransomware characteristics:
The DHS and CISA have developed resources to categorize each cyberattack, track APT groups and create a plan of action.
CISA resources can provide information on data recovery, protecting your network and understanding protocols. For a list of cybersecurity practices and resources, click here.