JSAC2023_2_3_jacky_en.pdf (1 MB)

AhnLab’s JSAC 2023 material surveys ransomware localization in South Korea and includes a government-sponsored threat actor section citing Kaspersky’s disclosure that Andariel used ransomware. The DPRK-relevant portion notes a September 2020 customer sample, a July 2022 Maui ransomware attack reference, and December 2022 South Korean police findings involving a North Korean hacking organization email address. The broader Korean ransomware cases show localized tradecraft such as Korean-language lures, region-specific file extensions, vulnerable server targeting, and deployment through local environments, but the excerpt does not provide detailed Andariel infection-chain or IOC evidence. The value for Lazarus Day tracking is that the source places Andariel-linked ransomware activity inside a wider Korean ransomware-localization trend without attributing every Korean ransomware case to North Korea.