Cause for Concern? Ransomware Strains Trace to North KoreaAttackers Appear to Be Testing Profit-Making Potential of Crypto-Locking Malware
If you were a nation with legions of hackers at your disposal, seeking to sidestep crippling international sanctions, would you look to ransomware to fund your regime?
That's one obvious question posed by new research that finds state-sponsored North Korean hackers haven't stopped experimenting with ransomware.
"The Democratic People's Republic of Korea is already under heavy sanctions to limit their movements. By following in the footsteps of ransomware crews like Conti and actively attacking Western targets including critical infrastructure, they risk more sanctions against them."
Specifically, a researcher at security firm Trellix reports finding signs that four ransomware strains recently spotted in the wild trace to North Korean government hackers.
Of course, the Pyongyang-based Democratic People's Republic of Korea, as it's officially known, doesn't shy away from using various illicit tactics to turn a profit, including online bank heists and regularly hitting cryptocurrency exchanges. Why should ransomware be any different?
Lessons learned from WannaCry might be one answer. In May 2017, the crypto-locking ransom worm struck worldwide and was later attributed to Lazarus Group - aka APT 38, Hidden Cobra, Unit 180 - which has been tied to North Korea's primary intelligence agency, the Reconnaissance General Bureau. The fact that WannaCry lacked the ability to receive ransom payments suggested the malware might have gotten out of control before its developers were ready for it to be deployed. Perhaps any further mass ransomware campaign that might get traced to Pyongyang is seen by leaders as still being too politically toxic?
Sanctions might be another answer: the U.S. Treasury Department's Office of Foreign Assets Control continues to expand its sanctions against Lazarus Group as the group gets blamed for more attacks, including the March theft of $615 million in cryptocurrency from the Ronin decentralized finance service. The OFAC sanctions prohibit anyone from conducting any transactions involving specified groups or wallet addresses.
Signs of Fresh Crypto-Locking Malware
Nevertheless, while ransomware continues to largely be the province of criminal groups, and in particular ransomware-as-a-service operations, post-WannaCry "there have also been attempts made to step into the world of ransomware" by DPRK hackers, says Christiaan Beek, the lead scientist and senior principal engineer of Trellix Threat Labs, in a recent report.
That includes VHD ransomware, which was first spotted in March 2020, and which researchers found was being deployed via Lazarus' cross-platform malware delivery system, called MATA.
In early 2021, meanwhile, security researchers found that newly deployed TFlower ransomware appeared to be using the MATA framework, suggesting that it was being deployed by North Koreans.
Might DPRK's ransomware experiments be continuing?
To help answer that question, Beek began looking for any malware that reused VHD ransomware code. He found code overlaps between VHD and these four ransomware families: BEAF, PXJ, ZZZZ and CHiCHi. In addition, he found that the same ProtonMail email address was used as a contact point for samples of both the CHiCHi and ZZZZ ransomware families.
Beek says attacks involving those four strains of ransomware appeared to focus on targets in the Asia-Pacific region but were not widely deployed. "Besides some reports, not much is known about the victims as there were no leak pages or negotiation chats, which are now common for groups to utilize," he says. In addition, whatever ransoms might have been demanded, "the paid ransom amounts were relatively small," and none of the cryptocurrency wallets connected to the different strains appeared to interact with each other.
Hence Beek says all signs points to hackers associated with DPRK continuing to test ransomware and perhaps occasionally to use it as a distraction to facilitate other attacks - as seen in an online heist from a bank in Taiwan in 2017 - but not to run full-fledged campaigns.
"What we have observed so far is that source code of a ransomware family was bought, modified and used in the APAC region," he tells me. "However, to date, we have found that the amount of attacks recorded and reported are low. Compared to the larger RaaS campaigns, they resemble more of an 'attempt' as opposed to a sophisticated setup operation."
One likely explanation for DPRK hackers not focusing on ransomware: Time is money. For criminals, ransomware and business email compromise schemes continue to be two relatively quick, easy, safe and lucrative strategies.
But the DPRK hackers face a significant challenge, which is that the OFAC sanctions have prohibited funds from being paid to them and could be easily expanded to cover any new cryptocurrency wallets that the hackers might try to use for receiving ransom payments.
"The Democratic People's Republic of Korea is already under heavy sanctions to limit their movements," Beek says. "By following in the footsteps of ransomware crews like Conti and actively attacking Western targets including critical infrastructure, they risk more sanctions against them."
Hence so far DPRK has likely decided that other strategies offer an easier payday. "Attacking cryptocurrency exchanges and quickly using mixing services to exchange against less traceable cryptocurrency or cash it out and launder it in other ways is effective and comes with less risk," Beek says.