Researchers tie ransomware families to North Korean cyber-army

The North Korean army is continuing to try its hand at ransomware, according to a new report from cybersecurity firm Trellix.

Christiaan Beek, lead scientist with the company’s threat research division, released a report on Tuesday tying four ransomware families — BEAF, PXJ, ZZZZ and CHiCHi — to the prolific Unit 180 of North Korea’s cyber-army. 

Trellix said the unit is behind several ransomware attacks on organizations across Asia since 2020, when researchers first discovered the VHD ransomware and tied it to actors connected to the North Korean military. 

Beek explained that the source code for the VHD ransomware has similarities and ties to the four ransomware strains mentioned in the report. 

“We suspect the ransomware families described in this blog are part of more organized attacks. Based on our research, combined intelligence, and observations of the smaller targeted ransomware attacks, Trellix attributes them to DPRK affiliated hackers with high confidence,” Beek said. 

“Besides global banks, blockchain providers and users from South Korea were also attacked and infiltrated using spear-phishing emails, fake mobile applications, and even fake companies. Since these attacks were predominantly observed targeting the APAC region with targets in Japan and Malaysia for example, we anticipate these attacks might have been executed to discover if ransomware is a valuable way of gaining income.”

Beek added that the ransomware families listed are not widespread and were used to target specific organizations in Asia. The Unit 180 group described in the report is tasked with attacking foreign financial systems, including banks and cryptocurrency exchanges. The stolen money is used to fund the country’s nuclear and missile programs, according to experts. 

Recorded Future ransomware expert Allan Liska noted that there tends to be much less reporting of ransomware attacks in Asia. There were several ransomware incidents on organizations…


Leave a Reply

Your email address will not be published.