Researchers tie ransomware families to North Korean cyber-army

The North Korean army is continuing to try its hand at ransomware, according to a new report from cybersecurity firm Trellix.

Christiaan Beek, lead scientist with the company's threat research division, released a report on Tuesday tying four ransomware families — BEAF, PXJ, ZZZZ and CHiCHi — to the prolific Unit 180 of North Korea’s cyber-army. 

Trellix said the unit is behind several ransomware attacks on organizations across Asia since 2020, when researchers first discovered the VHD ransomware and tied it to actors connected to the North Korean military. 

Beek explained that the source code for the VHD ransomware has similarities and ties to the four ransomware strains mentioned in the report. 

“We suspect the ransomware families described in this blog are part of more organized attacks. Based on our research, combined intelligence, and observations of the smaller targeted ransomware attacks, Trellix attributes them to DPRK affiliated hackers with high confidence,” Beek said. 

“Besides global banks, blockchain providers and users from South Korea were also attacked and infiltrated using spear-phishing emails, fake mobile applications, and even fake companies. Since these attacks were predominantly observed targeting the APAC region with targets in Japan and Malaysia for example, we anticipate these attacks might have been executed to discover if ransomware is a valuable way of gaining income.”

Beek added that the ransomware families listed are not widespread and were used to target specific organizations in Asia. The Unit 180 group described in the report is tasked with attacking foreign financial systems, including banks and cryptocurrency exchanges. The stolen money is used to fund the country’s nuclear and missile programs, according to experts. 

Recorded Future ransomware expert Allan Liska noted that there tends to be much less reporting of ransomware attacks in Asia. There were several ransomware incidents on organizations based in Asia over the last few years, Liska said, naming attacks on Honda, Golden Duck Group in Thailand, Beranda - Pertamina Gas in Indonesia and the Small Industries Development Bank of India.

“Over the past 2-3 years we’ve seen North Korea use ransomware primarily against targets in Asia, which may be why it doesn’t get as much attention as other types of attacks,” Liska said. “So an attack type that is already severely underreported is even more so in Asia. This serves as a reminder that Russia isn’t the only place where ransomware attacks are coming from.”

IBM's annual X-Force Threat Intelligence Index found that ransomware accounted for 11% of all cyberattacks in the APAC region in 2021. 

Several other reports from Sophos and Claroty found startling increases in ransomware attacks throughout Asia in 2021. In October, the United Nations Office on Drugs and Crime (UNODC) released a report that spotlighted several ransomware attacks across Asia in 2021, including one in September affecting a Malaysian web-hosting service. The ransomware group demanded a ransom of $900,000. 

Four subsidiaries of an international insurance company in Thailand, Malaysia, Hong Kong and the Philippines were hit with a ransom demand of $20 million after an attack in May 2021. The UN noted that there have been several ransomware attacks in Thailand affecting hospitals and other organizations. 

“Ransomware attacks have skyrocketed in the past years, increasingly targeting critical national infrastructures, disrupting business processes, and compromising vital data that they require to function,” said Alexandru Caciuloiu, UNODC Cybercrime and Cryptocurrency Advisor for Southeast Asia and the Pacific.