# Enterprise Malware-as-a-Service: Lazarus Group and the Evolution of Ransomware

**[web.archive.org/web/20200922165625/https://dcso.de/2019/03/18/enterprise-malware-as-a-service/](https://web.archive.org/web/20200922165625/https://dcso.de/2019/03/18/enterprise-malware-as-a-service/)**

In an interesting twist to the use of ransomware, an attacker leveraged a vulnerability in a
[plug-in for a remote-monitoring tool, Kaseya VSA, to gain access to a small Managed](https://web.archive.org/web/20200922165625/https://www.infosecurity-magazine.com/news/gandcrab-ransomware-slingers-1-1/)
Services Provider, and infect approximately 80 companies with the GandCrab ransomware.
This is a notable shift in tactics for purveyors of ransomware, and follows the trend of
commercial crimeware being used to attack businesses, and now service providers, rather
than individual.

## The History of Ransomware: From Userspace to the Enterprise

The history of ransomware (extortion via malicious software) goes all the way back to 1989,
[with PC Cyborg, also known as the AIDS Trojan, written by Joseph Popp. The malware had](https://web.archive.org/web/20200922165625/https://www.theatlantic.com/technology/archive/2016/05/the-computer-virus-that-haunted-early-aids-researchers/481965/)
serious flaws, allowing key extraction from the code itself, and ultimately did little damage in
comparison to the most destructive attacks to date, WannaCry and Petya/NotPetya. The first
robust ransomware emerged with the introduction of public-key-cryptography to the
ransomware concept by Adam L. Young and Moti Yung. Young & Young’s experimental
[malware, and coined the term cryptovirology, encompassing overt and covert attacks utilizing](https://web.archive.org/web/20200922165625/https://ieeexplore.ieee.org/document/502676)
cryptographic functions. By 2006, various ransomwares had begun to utilize more
sophisticated RSA encryption schemes and larger key sizes. In 2008, the malware known as
Gpcode.AK utilized a 1024-bit RSA key, which was determined to be computationally
infeasible to break without a distributed effort.

In 2013, the now infamous Cryptolocker ransomware netted its operators an estimated $27
million from infected users, shooting ransomware to the top of the profitable e-crimes list next
to banking trojans. Cryptolocker itself evolved, and soon began targeting network-attached
[storage devices, and in 2015, began to target Linux-based webservers. Further evolution of](https://web.archive.org/web/20200922165625/https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware)
ransomware came with CryptoWall, which utlized a digital signature in an effort to appear
trustworthy. CryptoWall took further destructive measures as well, deleting volume shadow
copies, on top of its capabilities of password-stealing and BitCoin wallet hijacking. The
SamSam ransomware, which was first detected in 2016, targeted JBoss servers. Rather
than utilizing email phishing and malicious documents, SamSam directly infected webservers
over the internet. Victims of SamSam included hospitals, and local governmental bodies in
the United States: the city of Atlanta, GA, USA, was completely crippled by [SamSam in](https://web.archive.org/web/20200922165625/https://blog.barkly.com/atlanta-ransomware-attack-2018-samsam)
March 2018.

In May 2017, the highly destructive WannaCry ransomware spread across the internet using
an exploit named EternalBlue which was leaked from the U.S. National Security Agency. An
estimated 230,000 systems were infected in more than 150 countries. The malicious


-----

software demanded money from users in 20 different languages. WannaCry was the first
ransomware to affect enterprise organizations, which included Telefónica, the British National
Health Service, FedEx, Deutsche Bahn, Honda, Renault, and even the Russian Interior
Ministry. For the first time, the global enterprise was forced to deal with threats which were
unconcerned with stealing trade secrets, but instead acted to cause as much destructive
damage as possible if their demands were not met.

[In March 2018, the Petya ransomware made its first introduction, followed by a heavily](https://web.archive.org/web/20200922165625/https://www.forbes.com/sites/leemathews/2017/08/16/notpetya-ransomware-attack-cost-shipping-giant-maersk-over-200-million/)
modified version which wreaked havoc on business, most notably the logistics firm Maersk,
whose Business IT infrastructure was almost completely destroyed, and terminals in four
countries were impacted, causing delays and disruptions for weeks. Speculation from
industry experts, including noted exploit developer known by his handle, the grugq noted that
NotPetya’s purpose appeared to be wholly destructive, and without concern for collecting
extortion fees, as is the general operation of file-locking malware. Instead, NotPetya simply
performed permanently destructive acts on the systems it infected.

## Nation-State Cyber-Attacks as a Service

A ransomware known as HERMES began appearing in October 2017, when it was used
against an attack against the Far Eastern International Bank in Taiwan. $60 million was
stolen in a sophisticated attack on the SWIFT system. Notably, the HERMES ransomware
appeared to be used solely as a diversion from the true heist: the attack on the SWIFT
system. Almost one year later, in August of 2018, [a new type of ransomware infection burst](https://web.archive.org/web/20200922165625/https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/)
onto the stage: Named Ryuk, after the name with which the ransom notes were signed,
victims included large newspaper publications such as the New York Times, Los Angeles
Times, and Wall Street Journal.

HERMES was attributed to the infamous Lazarous Group, believed to be funded by the
government of North Korea. As samples of Ryuk were analyzed, it was found to re-use code
from HERMES: a solid link to Lazarus Group. Ryuk is a fully-developed ransomware
package, and unlike HERMES, is not a decoy: the malware is wholly intended for the task of
[digital extortion. Ryuk marks the third time that Lazarus Group has used destructive malware](https://web.archive.org/web/20200922165625/https://www.kaspersky.com/blog/operation-blockbuster/11407/)
against its targets, the most notable being Sony Pictures in 2015, where ransomware was
used to destroy studio infrastructure.

[Dominating ransomware news recently has been the ransomware-as-a-service GandCrab:](https://web.archive.org/web/20200922165625/https://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/)
the software is maintained by a dedicated development team, whom deliver frequent updates
with additional capabilities and evasion techniques. Continuing with the trend of organized
crimeware targeting businesses instead of end-users, GandCrab was used to infect the
customers of a small Managed Services Provider, by way of breaching the MSP itself. Rather
than the MSP, the customers bore the infection and potential costs of ransom. By targeting
the MSP, the attackers managed to infect 80 victims at the same time. Practical and efficient.


-----

## Opinion: Lazarus Group and the Evolving Landscape of Enterprise- capable Malware

The trend of crimeware shifting from targeting end-users to targeting the enterprise has
continued in other malware areas, specifically with the evolution of the Emotet malware, a
trojan which targets bank information. First identified by researchers in 2014, it has evolved
from a simple money-stealing trojan which spreads via malspam campaigns, to a
[sophisticated malware toolkit capable of stealing emails and spreading via the infamous](https://web.archive.org/web/20200922165625/https://www.malwarebytes.com/emotet/)
EternalBlue exploit. Emotet is now capable of infecting an entire organization via its lateral
movement capabilities.

[The line between organized crimeware and nation-state espionage-ware is a fine one](https://web.archive.org/web/20200922165625/https://threatpost.com/nation-states-distancing-themselves-from-apts/123711/)
indeed: in a report by Cybereason’s Intelligence Unit released in February 2017 at the RSA
Conference, Russia, China, and the United Arab Emirates have been found to be
outsourcing targeted operations to dedicated hacking groups, presumably in further attempts
to mitigate risk and foil attribution. The use of outsourced labor, and potentially also malwareas-a-service is consistent with changing tactics, techniques, and procedures to confuse and
counter one’s adversaries. From a purely objective standpoint, these behaviours should be
expected.

Lazarus Group has demonstrated a concentrated and continuous effort to develop and
deliver both HERMES and Ryuk in targeted attacks, and like other skilled actors, makes
efforts to incorporate new evasion, privilege escalation, and lateral movement techniques
into new releases. Attribution in malware analysis is frequently difficult (and sometimes
impossible), due to a combination of obfuscation techniques, and intentionally misleading
clues left by the authors for analysts who stumble upon them, in addition to the copycat
nature of crimeware: where one software leads, others will follow, and this path leads straight
to improvement and innovation. The authors of crimeware learn from each other’s
implementations, and from the analysis performed by incident responders.

It is possible, and even likely, that Lazarus Group may manage to breach a large hosting
provider, and deliver ransomware to every customer. Such an attack is not only likely, but
also fits within Lazarus Group’s modus operandi: an attack which infects dozens or hundreds
of customers may also effectively obfuscate their true purpose, in the same way HERMES
was used to mask SWIFT fraud. [McAfee Labs makes similar observations, finding that Ryuk](https://web.archive.org/web/20200922165625/https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-exploring-the-human-connection/)
(and by extension Lazarus Group) pose an existential risk to IT Hosting and Freight /
Logistics firms.

In the sport of malware-as-a-moneymaking-mechanism, Lazarus Group is a world-class
player, and will certainly continue its trend of constantly evolving tactics and targets.

Who we are


-----

The Threat Intelligence -Team helps clients to reduce the threat posed by adversaries to their
networks by leveraging the power of collaborative defense in combination with
comprehensive analytics and contextualized threat intelligence. DCSO delivers actionable
intelligence on all levels – from atomic Indicators of Compromise (IoC) to insights into the
political, economic and cultural context of adversaries.


-----