North Korea’s Crypto-Extortion Efforts Have Expanded Considerably in 2020

North Korea’s Crypto-Extortion Efforts Have Expanded Considerably in 2020

A group of hackers linked to the North Korean regime kept their efforts at crypto-extortion alive in 2020.

According to a report published by Chainalysis, a group of North Korean hackers operating under the name “Lazarus” targeted several crypto-exchanges last year.

One of the attacks involved creating a fake trading bot that had been offered to DragonEx exchange employees. Findings show that the hackers stole roughly $7 million from the Singapore-based exchange in various cryptocurrencies in March 2019.

In June, cybersecurity vendor Cyfirma warned of a massive crypto-phishing campaign that the North Korean hacker group could launch.

The campaign allegedly targets six nations and more than five million individuals and businesses. There are no confirmed signs for now that the team plans to carry on with this massive attack.

Authorities sanction collaborators

The group of hackers is also known to have stolen a staggering $571 million in cryptocurrencies since early 2017. Group-IB according to a study by cybercrime company.

U.S. — In March, the Foreign Assets Control Office of the Treasury Department, or OFAC. Sanctioned two Chinese nationals accused of cryptocurrency laundering that was stolen in a 2018 crypto-exchange hack.

New ransomware emerges

On July 28, a study conducted by Kaspersky, the antivirus maker and malware lab, announced Lazarus had created new ransomware. This new threat, known as VHD, mainly targets businesses’ internal economic sector networks.

James McQuiggan, KnowBe4’s security awareness advocate, explained how the VHD ransomware operates:

“A VHD, or Virtual Hard Disk, is a similar concept to that of a USB drive. Instead of physically inserting the USB drive into the port on a computer. The VHD file can be downloaded onto a system to launch the ransomware attack process. For cybercriminals, they don’t need physical access, just electronic access to download the file. This type of attack requires access to the systems. By exploiting external and vulnerable infrastructure or systems, they gain the access needed.”

Group running solo ops

Kaspersky researchers speculated on the possible reasons behind work solo ops by Lazarus:

“We can only speculate about the reason why they are now running solo ops. Maybe they find it difficult to interact with the cybercrime underworld. Or maybe they felt they could no longer afford to share their profits with third parties.”

Usually, Lazarus breaches the network of a company for encrypting their data. They then proceed to ask for a crypto-based ransom for victims, with Monero (XMR) preference.