As the dark web becomes multi-national, US government agencies are racing to identify who are responsible for the latest ransomware attacks.
Dark Web Coalition
Cybercriminals have been collaborating for decades and over the past few years have developed a highly sophisticated underground network. The cybercriminal underground is most often referred to as the Dark Web. Dark Web founders are always seeking new recruits to carry out their organization’s malicious plans. It’s widely known that these APT groups are growing and gaining momentum at an incredible rate. For a detailed spreadsheet of current APT Groups, click here. The NSA, CISA DHS, and FBI are tirelessly trying to keep pace with new APT groups from around the world.
Lazarus Group aka Hidden Cobra
An increasingly aggressive group known as the Lazarus Group is suspected to be the developers of the latest VHD ransomware. The Lazarus Group, aka Hidden Cobra, is known to be supported by North Korea. Early attacks from the APT group were aimed at gathering PII, sabotage and retaliation. One notable attack by Hidden Cobra was in 2014, against Sony Pictures Entertainment by breaching personal emails and gaining PII of nearly 4,000 employees. More recently the attacks using VHD have been centered around Bitcoin Exchange, the financial sector and technology. In 2016, the Bangladesh Bank was targeted and lost $81 million to the Lazarus Group. Individual APT group objectives can be somewhat unclear, but for the Lazarus Group it is clearly monetary. Trade restrictions from the United States has also placed a massive strain on North Korea’s economy. By restricting trade to North Korea, the United States could potentially become a target for a massive network attack. For an in-depth list of North Korean cyber activity, click here.
Cyberattacks are ever changing and almost impossible to predict, the challenge is keeping up with the cyber actor’s purpose and approach. By identifying vector patterns cybersecurity agencies can begin to categorize malicious intent and predict possible targets. Often malicious malware is repurposed, so it looks and acts the same as its predecessor. Malware that has already been tested is more likely to be recycled, rather than to develop an entirely new program. As malware is being tested and reused government researchers and developers also gain the opportunity to identify possible correlations between attacks.
The CISA has contributed to the analysis of VHD ransomware, which features Trojan malware related to “HOPLIGHT.” VHD ransomware was first recognized in March 2020, by its self-replicating feature, backdoor access (MATA) and specific VPN gateways. For full article, click here.
VHD ransomware characteristics:
- PE32 executable, the malware will collect system information including OS version, volume information, and system time and enumerate the system drives and partitions
- Read, Write, and Move Files; Enumerate System Drives; Create and Terminate Processes; Inject into Running Processes; Create, Start and Stop Services; Modify Registry Settings; Connect to a Remote Host; Upload and Download Files
- The malware uses a public SSL certificate for secure communications from South Korean web giant Naver and employs proxies to obfuscate its activity
- The proxies generate fake TLS handshake sessions, using valid public SSL certificates, disguising network connections with remote malicious actors
The DHS and CISA have developed resources to categorize each cyberattack, track APT groups and create a plan of action.
- Fortunately, the DHS has been monitoring malicious malware attacks for decades and has created numerous resources to protect global networks. DHS cybersecurity homepage.
- The CISA recently published and alert warning to strengthen networks and create a recovery plan for system data. Full article, here.
CISA resources can provide information on data recovery, protecting your network and understanding protocols. For a list of cybersecurity practices and resources, click here.