Trellix examines ransomware activity it attributes with high confidence to DPRK-affiliated hackers, framing it against North Korea’s financially motivated operations against banks, cryptocurrency targets, and APAC victims. The excerpt focuses on VHD ransomware and related families, noting distribution through the MATA framework and artifacts linking the activity to North Korean operators. Code-similarity work connected VHD with BEAF and ZZZZ ransomware, while Tflower and ChiChi showed weaker or more generic overlap; BEAF’s extension also matched the first four bytes of APT38’s Beefeater handshake. The investigation found targeted, relatively small ransomware operations in APAC, including Japan and Malaysia, suggesting DPRK actors may have been testing ransomware as another revenue-generating method.