VHD Ransomware Variant Linked to North Korean Cyber Army

Researchers use code, Bitcoin transactions to link ransomware attacks on banks to DPRK-sponsored actors.

Dark Reading Staff, Dark Reading

May 4, 2022

1 Min Read
North Korean flag
Source: Panther Media GmbH via Alamy

The ransomware strain known as VHD has been traced to North Korean state actor APT38 by a team of researchers using detailed code analysis and following a Bitcoin trail. 

The Democratic People's Republic of Korea (DPRK) has used ransomware for several years to raise money for state coffers, including the February 2016 Bangladesh bank heist in which attackers tried to use the SWIFT banking system to steal almost US$1 billion, explains Trellix researcher Christiaan Beek in a new blog post. 

Beek and a team of fellow cybersecurity analysts linked North Korea's cyber army to the VHD ransomware, which they said has been used in ransomware attacks on global financial systems and cryptocurrency exchanges since March 2020. The analysts compared known DPRK code with VHD ransomware and found stark similarities, the post states. Bitcoin transactions overlapping between known DPRK-sponsored cybercrime groups were also reported by the team. 

"We suspect the ransomware families described in this blog are part of more organized attacks," Beek adds. "Based on our research, combined intelligence, and observations of the smaller targeted ransomware attacks, Trellix attributes them to DPRK affiliated hackers with high confidence."

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights