Security News > 2022 > May > VHD Ransomware Linked to North Korea’s Lazarus Group
Cryptocurrency thief Lazarus Group appears to be widening its scope into using ransomware as a way to rip off financial institutions and other targets in the Asia-Pacific region, researchers have found.
Financial transactions and similarities to previous malware in its source code link a recently emerged ransomware strain called VHD to the North Korean threat actors, also known as Unit 180 or APT35.
Knowing that ransomware has emerged a part of the toolkit of the North Korean cyber army, Trellix researchers peered under the hood of the VHD code to find similarities that they believed pointed to reuse from previous ransomware, Beek wrote.
Researchers identified code from four ransomware families known to be used by North Korean threat actors-BGEAF, PXJ, ZZZZ and CHiCHi-in the code of VHD. While the Tflower and ChiChi families share only generic-function code with VHD, "The ZZZZ ransomware is almost an exact clone of the Beaf ransomware family," which has been linked to North Korea, Beek wrote.
The use of the MATA framework in VHD-which has been used to spread the Tflower ransomware family-also links the VHD to Lazarus, as MATA has previously been linked to North Korea, researchers said.
Researchers then investigated the various ransomware families they'd linked to North Korea, which all seemed to target specific entities in APAC regions, to try to find financial overlap between then.