In terms of functionality, VHD is a fairly standard ransomware ransomware. It goes over all the disks connected to the victim's computer, encrypts files, and deletes all System Volume Information folders it encounters (which tries to sabotage the data recovery mechanism from Windows restore points). In addition, vedonos is able to stop processes that can potentially protect important files from modification (such as Microsoft Exchange or SQL Server).
Experts investigated two VHD-related incidents, studied the attacker's pattern of actions, and note that the mechanisms for delivering malware to the victim's machine are more likely to be characteristic of complex targeted attacks.
Thus, in the first incident, the attention of specialists was attracted by a malicious code that was responsible for distributing VHDs within the victim's network. Malvari had access to the lists of IP addresses of the victims' computers, as well as a set of credentials from records with administrator rights. This data was used for brute force attacks on the SMB service. If the malware managed to successfully connect via the SMB protocol to the network folder of another computer, it copied itself and executed, encrypting information there as well.
According to experts, such a scheme of actions is not very typical for ordinary ransomware. It implies at least preliminary reconnaissance of the victim's infrastructure, which is more typical of APT campaigns.
During the study of the second incident, experts were able to restore the entire chain of infection, which looked something like this:
- attackers gained access to the victim's system by exploiting a vulnerable VPN gateway;
- got administrator rights on a compromised machine;
- installed a backdoor;
- seized control of the Active Directory server;
- infected all computers on the network with the VHD ransomware using a bootloader written for this task. The whole process took hackers about 10 hours.
Further analysis of the tools used by the cybercriminals showed that the backdoor used was part of the multi-platform MATA framework (aka Dacls). Based on this, it was concluded that the VHD is another Lazarus grouping tool.