{ "id": "c5fc8001-a0c9-4624-968c-6cbaff7280b8", "created_at": "2026-04-06T00:09:02.466484Z", "updated_at": "2026-04-10T13:12:34.105042Z", "deleted_at": null, "sha1_hash": "64ad96b5eba48a40dacbaf9f292c75f0ac0e1884", "title": "Enterprise Malware-as-a-Service: Lazarus Group and the Evolution of Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50259, "plain_text": "Enterprise Malware-as-a-Service: Lazarus Group and the\r\nEvolution of Ransomware\r\nPublished: 2019-03-18 · Archived: 2026-04-05 17:01:25 UTC\r\nIn an interesting twist to the use of ransomware, an attacker leveraged a vulnerability in a plug-in for a remote-monitoring tool, Kaseya VSA, to gain access to a small Managed Services Provider, and infect approximately 80\r\ncompanies with the GandCrab ransomware. This is a notable shift in tactics for purveyors of ransomware, and\r\nfollows the trend of commercial crimeware being used to attack businesses, and now service providers, rather than\r\nindividual.\r\nThe History of Ransomware: From Userspace to the Enterprise\r\nThe history of ransomware (extortion via malicious software) goes all the way back to 1989, with PC Cyborg, also\r\nknown as the AIDS Trojan, written by Joseph Popp. The malware had serious flaws, allowing key extraction from\r\nthe code itself, and ultimately did little damage in comparison to the most destructive attacks to date, WannaCry\r\nand Petya/NotPetya. The first robust ransomware emerged with the introduction of public-key-cryptography to the\r\nransomware concept by Adam L. Young and Moti Yung. Young \u0026 Young’s experimental malware, and coined the\r\nterm cryptovirology, encompassing overt and covert attacks utilizing cryptographic functions. By 2006, various\r\nransomwares had begun to utilize more sophisticated RSA encryption schemes and larger key sizes. In 2008, the\r\nmalware known as Gpcode.AK utilized a 1024-bit RSA key, which was determined to be computationally\r\ninfeasible to break without a distributed effort.\r\nIn 2013, the now infamous Cryptolocker ransomware netted its operators an estimated $27 million from infected\r\nusers, shooting ransomware to the top of the profitable e-crimes list next to banking trojans. Cryptolocker itself\r\nevolved, and soon began targeting network-attached storage devices, and in 2015, began to target Linux-based\r\nwebservers. Further evolution of ransomware came with CryptoWall, which utlized a digital signature in an effort\r\nto appear trustworthy. CryptoWall took further destructive measures as well, deleting volume shadow copies, on\r\ntop of its capabilities of password-stealing and BitCoin wallet hijacking. The SamSam ransomware, which was\r\nfirst detected in 2016, targeted JBoss servers. Rather than utilizing email phishing and malicious documents,\r\nSamSam directly infected webservers over the internet. Victims of SamSam included hospitals, and local\r\ngovernmental bodies in the United States: the city of Atlanta, GA, USA, was completely crippled by SamSam in\r\nMarch 2018.\r\nIn May 2017, the highly destructive WannaCry ransomware spread across the internet using an exploit named\r\nEternalBlue which was leaked from the U.S. National Security Agency. An estimated 230,000 systems were\r\ninfected in more than 150 countries. The malicious software demanded money from users in 20 different\r\nlanguages. WannaCry was the first ransomware to affect enterprise organizations, which included Telefónica, the\r\nBritish National Health Service, FedEx, Deutsche Bahn, Honda, Renault, and even the Russian Interior Ministry.\r\nFor the first time, the global enterprise was forced to deal with threats which were unconcerned with stealing trade\r\nsecrets, but instead acted to cause as much destructive damage as possible if their demands were not met.\r\nhttps://web.archive.org/web/20200922165625/https://dcso.de/2019/03/18/enterprise-malware-as-a-service/\r\nPage 1 of 3\n\nIn March 2018, the Petya ransomware made its first introduction, followed by a heavily modified version which\r\nwreaked havoc on business, most notably the logistics firm Maersk, whose Business IT infrastructure was almost\r\ncompletely destroyed, and terminals in four countries were impacted, causing delays and disruptions for weeks.\r\nSpeculation from industry experts, including noted exploit developer known by his handle, the grugq noted that\r\nNotPetya’s purpose appeared to be wholly destructive, and without concern for collecting extortion fees, as is the\r\ngeneral operation of file-locking malware. Instead, NotPetya simply performed permanently destructive acts on\r\nthe systems it infected.\r\nNation-State Cyber-Attacks as a Service\r\nA ransomware known as HERMES began appearing in October 2017, when it was used against an attack against\r\nthe Far Eastern International Bank in Taiwan. $60 million was stolen in a sophisticated attack on the SWIFT\r\nsystem. Notably, the HERMES ransomware appeared to be used solely as a diversion from the true heist: the\r\nattack on the SWIFT system. Almost one year later, in August of 2018, a new type of ransomware infection burst\r\nonto the stage: Named Ryuk, after the name with which the ransom notes were signed, victims included large\r\nnewspaper publications such as the New York Times, Los Angeles Times, and Wall Street Journal.\r\nHERMES was attributed to the infamous Lazarous Group, believed to be funded by the government of North\r\nKorea. As samples of Ryuk were analyzed, it was found to re-use code from HERMES: a solid link to Lazarus\r\nGroup. Ryuk is a fully-developed ransomware package, and unlike HERMES, is not a decoy: the malware is\r\nwholly intended for the task of digital extortion. Ryuk marks the third time that Lazarus Group has used\r\ndestructive malware against its targets, the most notable being Sony Pictures in 2015, where ransomware was used\r\nto destroy studio infrastructure.\r\nDominating ransomware news recently has been the ransomware-as-a-service GandCrab: the software is\r\nmaintained by a dedicated development team, whom deliver frequent updates with additional capabilities and\r\nevasion techniques. Continuing with the trend of organized crimeware targeting businesses instead of end-users,\r\nGandCrab was used to infect the customers of a small Managed Services Provider, by way of breaching the MSP\r\nitself. Rather than the MSP, the customers bore the infection and potential costs of ransom. By targeting the MSP,\r\nthe attackers managed to infect 80 victims at the same time. Practical and efficient.\r\nOpinion: Lazarus Group and the Evolving Landscape of Enterprise-capable\r\nMalware\r\nThe trend of crimeware shifting from targeting end-users to targeting the enterprise has continued in other\r\nmalware areas, specifically with the evolution of the Emotet malware, a trojan which targets bank information.\r\nFirst identified by researchers in 2014, it has evolved from a simple money-stealing trojan which spreads via\r\nmalspam campaigns, to a sophisticated malware toolkit capable of stealing emails and spreading via the infamous\r\nEternalBlue exploit. Emotet is now capable of infecting an entire organization via its lateral movement\r\ncapabilities.\r\nThe line between organized crimeware and nation-state espionage-ware is a fine one indeed: in a report by\r\nCybereason’s Intelligence Unit released in February 2017 at the RSA Conference, Russia, China, and the United\r\nArab Emirates have been found to be outsourcing targeted operations to dedicated hacking groups, presumably in\r\nhttps://web.archive.org/web/20200922165625/https://dcso.de/2019/03/18/enterprise-malware-as-a-service/\r\nPage 2 of 3\n\nfurther attempts to mitigate risk and foil attribution. The use of outsourced labor, and potentially also malware-as-a-service is consistent with changing tactics, techniques, and procedures to confuse and counter one’s adversaries.\r\nFrom a purely objective standpoint, these behaviours should be expected.\r\nLazarus Group has demonstrated a concentrated and continuous effort to develop and deliver both HERMES and\r\nRyuk in targeted attacks, and like other skilled actors, makes efforts to incorporate new evasion, privilege\r\nescalation, and lateral movement techniques into new releases. Attribution in malware analysis is frequently\r\ndifficult (and sometimes impossible), due to a combination of obfuscation techniques, and intentionally\r\nmisleading clues left by the authors for analysts who stumble upon them, in addition to the copycat nature of\r\ncrimeware: where one software leads, others will follow, and this path leads straight to improvement and\r\ninnovation. The authors of crimeware learn from each other’s implementations, and from the analysis performed\r\nby incident responders.\r\nIt is possible, and even likely, that Lazarus Group may manage to breach a large hosting provider, and deliver\r\nransomware to every customer. Such an attack is not only likely, but also fits within Lazarus Group’s modus\r\noperandi: an attack which infects dozens or hundreds of customers may also effectively obfuscate their true\r\npurpose, in the same way HERMES was used to mask SWIFT fraud. McAfee Labs makes similar observations,\r\nfinding that Ryuk (and by extension Lazarus Group) pose an existential risk to IT Hosting and Freight / Logistics\r\nfirms.\r\nIn the sport of malware-as-a-moneymaking-mechanism, Lazarus Group is a world-class player, and will certainly\r\ncontinue its trend of constantly evolving tactics and targets.\r\nWho we are\r\nThe Threat Intelligence -Team helps clients to reduce the threat posed by adversaries to their networks by\r\nleveraging the power of collaborative defense in combination with comprehensive analytics and contextualized\r\nthreat intelligence. DCSO delivers actionable intelligence on all levels – from atomic Indicators of Compromise\r\n(IoC) to insights into the political, economic and cultural context of adversaries.\r\nSource: https://web.archive.org/web/20200922165625/https://dcso.de/2019/03/18/enterprise-malware-as-a-service/\r\nhttps://web.archive.org/web/20200922165625/https://dcso.de/2019/03/18/enterprise-malware-as-a-service/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://web.archive.org/web/20200922165625/https://dcso.de/2019/03/18/enterprise-malware-as-a-service/" ], "report_names": [ "enterprise-malware-as-a-service" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "732597b1-40a8-474c-88cc-eb8a421c29f1", "created_at": "2025-08-07T02:03:25.087732Z", "updated_at": "2026-04-10T02:00:03.776007Z", "deleted_at": null, "main_name": "NICKEL GLADSTONE", "aliases": [ "APT38 ", "ATK 117 ", "Alluring Pisces ", "Black Alicanto ", "Bluenoroff ", "CTG-6459 ", "Citrine Sleet ", "HIDDEN COBRA ", "Lazarus Group", "Sapphire Sleet ", "Selective Pisces ", "Stardust Chollima ", "T-APT-15 ", "TA444 ", "TAG-71 " ], "source_name": "Secureworks:NICKEL GLADSTONE", "tools": [ "AlphaNC", "Bankshot", "CCGC_Proxy", "Ratankba", "RustBucket", "SUGARLOADER", "SwiftLoader", "Wcry" ], "source_id": "Secureworks", "reports": null }, { "id": "a2b92056-9378-4749-926b-7e10c4500dac", "created_at": "2023-01-06T13:46:38.430595Z", "updated_at": "2026-04-10T02:00:02.971571Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Operation DarkSeoul", "Bureau 121", "Group 77", "APT38", "NICKEL GLADSTONE", "G0082", "COPERNICIUM", "Moonstone Sleet", "Operation GhostSecret", "APT 38", "Appleworm", "Unit 121", "ATK3", "G0032", "ATK117", "NewRomanic Cyber Army Team", "Nickel Academy", "Sapphire Sleet", "Lazarus group", "Hastati Group", "Subgroup: Bluenoroff", "Operation Troy", "Black Artemis", "Dark Seoul", "Andariel", "Labyrinth Chollima", "Operation AppleJeus", "COVELLITE", "Citrine Sleet", "DEV-0139", "DEV-1222", "Hidden Cobra", "Bluenoroff", "Stardust Chollima", "Whois Hacking Team", "Diamond Sleet", "TA404", "BeagleBoyz", "APT-C-26" ], "source_name": "MISPGALAXY:Lazarus Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "32a223a8-3c79-4146-87c5-8557d38662ae", "created_at": "2022-10-25T15:50:23.703698Z", "updated_at": "2026-04-10T02:00:05.261989Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "Lazarus Group", "Labyrinth Chollima", "HIDDEN COBRA", "Guardians of Peace", "NICKEL ACADEMY", "Diamond Sleet" ], "source_name": "MITRE:Lazarus Group", "tools": [ "RawDisk", "Proxysvc", "BADCALL", "FALLCHILL", "WannaCry", "MagicRAT", "HOPLIGHT", "TYPEFRAME", "Dtrack", "HotCroissant", "HARDRAIN", "Dacls", "KEYMARBLE", "TAINTEDSCRIBE", "AuditCred", "netsh", "ECCENTRICBANDWAGON", "AppleJeus", "BLINDINGCAN", "ThreatNeedle", "Volgmer", "Cryptoistic", "RATANKBA", "Bankshot" ], "source_id": "MITRE", "reports": null }, { "id": "f32df445-9fb4-4234-99e0-3561f6498e4e", "created_at": "2022-10-25T16:07:23.756373Z", "updated_at": "2026-04-10T02:00:04.739611Z", "deleted_at": null, "main_name": "Lazarus Group", "aliases": [ "APT-C-26", "ATK 3", "Appleworm", "Citrine Sleet", "DEV-0139", "Diamond Sleet", "G0032", "Gleaming Pisces", "Gods Apostles", "Gods Disciples", "Group 77", "Guardians of Peace", "Hastati Group", "Hidden Cobra", "ITG03", "Jade Sleet", "Labyrinth Chollima", "Lazarus Group", "NewRomanic Cyber Army Team", "Operation 99", "Operation AppleJeus", "Operation AppleJeus sequel", "Operation Blockbuster: Breach of Sony Pictures Entertainment", "Operation CryptoCore", "Operation Dream Job", "Operation Dream Magic", "Operation Flame", "Operation GhostSecret", "Operation In(ter)caption", "Operation LolZarus", "Operation Marstech Mayhem", "Operation No Pineapple!", "Operation North Star", "Operation Phantom Circuit", "Operation Sharpshooter", "Operation SyncHole", "Operation Ten Days of Rain / DarkSeoul", "Operation Troy", "SectorA01", "Slow Pisces", "TA404", "TraderTraitor", "UNC2970", "UNC4034", "UNC4736", "UNC4899", "UNC577", "Whois Hacking Team" ], "source_name": "ETDA:Lazarus Group", "tools": [ "3CX Backdoor", "3Rat Client", "3proxy", "AIRDRY", "ARTFULPIE", "ATMDtrack", "AlphaNC", "Alreay", "Andaratm", "AngryRebel", "AppleJeus", "Aryan", "AuditCred", "BADCALL", "BISTROMATH", "BLINDINGCAN", "BTC Changer", "BUFFETLINE", "BanSwift", "Bankshot", "Bitrep", "Bitsran", "BlindToad", "Bookcode", "BootWreck", "BottomLoader", "Brambul", "BravoNC", "Breut", "COLDCAT", "COPPERHEDGE", "CROWDEDFLOUNDER", "Castov", "CheeseTray", "CleanToad", "ClientTraficForwarder", "CollectionRAT", "Concealment Troy", "Contopee", "CookieTime", "Cyruslish", "DAVESHELL", "DBLL Dropper", "DLRAT", "DRATzarus", "DRATzarus RAT", "Dacls", "Dacls RAT", "DarkComet", "DarkKomet", "DeltaCharlie", "DeltaNC", "Dembr", "Destover", "DoublePulsar", "Dozer", "Dtrack", "Duuzer", "DyePack", "ECCENTRICBANDWAGON", "ELECTRICFISH", "Escad", "EternalBlue", "FALLCHILL", "FYNLOS", "FallChill RAT", "Farfli", "Fimlis", "FoggyBrass", "FudModule", "Fynloski", "Gh0st RAT", "Ghost RAT", "Gopuram", "HARDRAIN", "HIDDEN COBRA RAT/Worm", "HLOADER", "HOOKSHOT", "HOPLIGHT", "HOTCROISSANT", "HOTWAX", "HTTP Troy", "Hawup", "Hawup RAT", "Hermes", "HotCroissant", "HotelAlfa", "Hotwax", "HtDnDownLoader", "Http Dr0pper", "ICONICSTEALER", "Joanap", "Jokra", "KANDYKORN", "KEYMARBLE", "Kaos", "KillDisk", "KillMBR", "Koredos", "Krademok", "LIGHTSHIFT", "LIGHTSHOW", "LOLBAS", "LOLBins", "Lazarus", "LightlessCan", "Living off the Land", "MATA", "MBRkiller", "MagicRAT", "Manuscrypt", "Mimail", "Mimikatz", "Moudour", "Mydoom", "Mydoor", "Mytob", "NACHOCHEESE", "NachoCheese", "NestEgg", "NickelLoader", "NineRAT", "Novarg", "NukeSped", "OpBlockBuster", "PCRat", "PEBBLEDASH", "PLANKWALK", "POOLRAT", "PSLogger", "PhanDoor", "Plink", "PondRAT", "PowerBrace", "PowerRatankba", "PowerShell RAT", "PowerSpritz", "PowerTask", "Preft", "ProcDump", "Proxysvc", "PuTTY Link", "QUICKRIDE", "QUICKRIDE.POWER", "Quickcafe", "QuiteRAT", "R-C1", "ROptimizer", "Ratabanka", "RatabankaPOS", "Ratankba", "RatankbaPOS", "RawDisk", "RedShawl", "Rifdoor", "Rising Sun", "Romeo-CoreOne", "RomeoAlfa", "RomeoBravo", "RomeoCharlie", "RomeoCore", "RomeoDelta", "RomeoEcho", "RomeoFoxtrot", "RomeoGolf", "RomeoHotel", "RomeoMike", "RomeoNovember", "RomeoWhiskey", "Romeos", "RustBucket", "SHADYCAT", "SHARPKNOT", "SIGFLIP", "SIMPLESEA", "SLICKSHOES", "SORRYBRUTE", "SUDDENICON", "SUGARLOADER", "SheepRAT", "SierraAlfa", "SierraBravo", "SierraCharlie", "SierraJuliett-MikeOne", "SierraJuliett-MikeTwo", "SimpleTea", "SimplexTea", "SmallTiger", "Stunnel", "TAINTEDSCRIBE", "TAXHAUL", "TFlower", "TOUCHKEY", "TOUCHMOVE", "TOUCHSHIFT", "TOUCHSHOT", "TWOPENCE", "TYPEFRAME", "Tdrop", "Tdrop2", "ThreatNeedle", "Tiger RAT", "TigerRAT", "Trojan Manuscript", "Troy", "TroyRAT", "VEILEDSIGNAL", "VHD", "VHD Ransomware", "VIVACIOUSGIFT", "VSingle", "ValeforBeta", "Volgmer", "Vyveva", "W1_RAT", "Wana Decrypt0r", "WanaCry", "WanaCrypt", "WanaCrypt0r", "WannaCry", "WannaCrypt", "WannaCryptor", "WbBot", "Wcry", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "WinorDLL64", "Winsec", "WolfRAT", "Wormhole", "YamaBot", "Yort", "ZetaNile", "concealment_troy", "http_troy", "httpdr0pper", "httpdropper", "klovbot", "sRDI" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434142, "ts_updated_at": 1775826754, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/64ad96b5eba48a40dacbaf9f292c75f0ac0e1884.pdf", "text": "https://archive.orkl.eu/64ad96b5eba48a40dacbaf9f292c75f0ac0e1884.txt", "img": "https://archive.orkl.eu/64ad96b5eba48a40dacbaf9f292c75f0ac0e1884.jpg" } }