A group of hackers associated with the North Korean regime have kept their crypto extortion efforts alive in 2020.

A group of North Korean hackers operating under the name “Lazarus” targeted several crypto exchanges last year, according to a report published by Chainalysis.

One of the attacks involved the creation of a fake trading bot which was offered to employees of the DragonEx exchange. Findings show that in March 2019, the hackers stole approximately $7 million in various cryptocurrencies from the Singapore-based exchange. 

Cybersecurity vendor Cyfirma warned in June about a massive crypto phishing campaign that could be launched by the North Korean hacker group.

The campaign will allegedly target six nations and over 5 million businesses and individuals. For now, there are no confirmed signs that the team plans to proceed with this massive attack.

Authorities sanction collaborators

The hacker group is also known to have stolen a staggering $571 million in cryptocurrencies since early 2017, according to a study conducted by cybercrime company, Group-IB.

In March, the U.S. Department of the Treasury’s Office of Foreign Assets Control, or OFAC, sanctioned two Chinese nationals accused of laundering cryptocurrency that was stolen in a 2018 crypto exchange hack.

New ransomware emerges

On July 28, a study performed by the antivirus maker and malware lab, Kaspersky, announced that a new ransomware had been created by Lazarus. This new threat, known as VHD, mostly targets the internal networks of companies in the economic sector.

James McQuiggan, security awareness advocate at KnowBe4, explained to Cointelegraph how the VHD ransomware operates: 

“A VHD, or Virtual Hard Disk, is a similar concept to that of a USB drive. Instead of physically inserting the USB drive into the port on a computer, the VHD file can be downloaded onto a system to launch the ransomware attack process. For cybercriminals, they don't need physical access, just electronic access to download the file. This type of attack requires access to the systems. By exploiting external and vulnerable infrastructure or systems, they gain the access needed."

Group running solo ops

Kaspersky researchers speculated on the possible reasons behind Lazarus’ working solo ops:

“We can only speculate about the reason why they are now running solo ops: maybe they find it difficult to interact with the cybercrime underworld, or maybe they felt they could no longer afford to share their profits with third parties.”

Lazarus usually breaches a company’s network to encrypt their data. They then proceed to ask victims for a crypto-based ransom, with a preference for Monero (XMR).