Kaspersky linked VHD ransomware operations to Lazarus after incident-response evidence showed a MATA framework backdoor in the same victim environment and no sign of another actor during the intrusion. One European incident used a victim-specific spreading utility with administrative credentials and IP addresses to brute-force SMB, copy the ransomware, and execute it through WMI. A later case likely began with opportunistic VPN exploitation, privilege escalation, a backdoor deployment, Active Directory takeover, and network-wide VHD staging through a Python downloader within about 10 hours. The ransomware used AES-256 in ECB mode and RSA-2048, while the report lists MATA command-and-control infrastructure and VHD hashes, making the activity notable as a Lazarus-run targeted ransomware operation rather than a typical outsourced cybercrime ecosystem case.