Experts from Trellix discovered that the VHD Ransomware is linked to the North Korean cyber army. The North Korean cyber army has been divided into units, all of which have different tasks and report to the ‘Bureau (or Lab) 121’.
Unit 180, also known as APT38 was responsible for attacks on foreign financial systems, including banks and cryptocurrency exchanges.
The report said Unit 180 actors generally resided in outside countries such as China, Russia, Malaysia, Thailand, Bangladesh, Indonesia, India, Kenya and Mozambique to hide the unit’s links to the hermit kingdom of North Korea.
Also, defectors have revealed that obtaining funds for the government is carried out by more actors than the country’s ‘elite hackers’.
VHD Ransomware
VHD is a standard ransomware tool that spreads through the drives connected to the target device, encrypts all files, and deletes all system volume information folders preventing the affected system from being recovered.
Researchers used source code from the VHD ransomware family and identified the following families:
- BEAF Ransomware
- PXJ Ransomware
- ZZZZ ransomware
- CHiCHi . Ransomware
From the analysis, the four letters of the ransomware “BEAF” (BEAF is the extension used for encrypted files), are exactly the same as the first four bytes of the handshake of the APT38 tool known as Beefeater.
ZZZZ ransomware is a replica of the Beaf ransomware family. The researchers say the Tflower and ChiChi families share some small code with VHD, but that it will be more general functionality than typical shared code and functionality.
Experts used Hilbert curves to visualize code from different malware families and found that Tflower and ChiChi were very different when compared to VHD.


To identify financial traces with overlap between families, researchers extracted Bitcoin (BTC) wallet addresses and started tracking and monitoring transactions.
“We did not find any overlap in transfer wallets between families. However, we found that the ransom amount paid was relatively small,” the researchers said.
final word
According to experts from Trellix, apart from global banks, blockchain providers and users from South Korea were also attacked using spear-phishing emails, fake mobile apps, as well as fake companies.
All of these attacks appear to have targeted the APAC region with targets in Japan and Malaysia. Therefore, experts suspect this attack might be carried out to find out if ransomware is a valuable way to earn money.
“Based on our research, combined intelligence, and observations of smaller targeted ransomware attacks, Trellix associates it with DPRK-affiliated hackers with high confidence,” concludes the blog.