VHD Ransomware - DPRK Threat Intelligence | lazarus.day

VHD Ransomware

#VHD • 2020-07

ZZZ

#FinancialGain

Kaspersky linked VHD ransomware operations to Lazarus after incident-response evidence found the MATA framework backdoor in the same victim environment and no sign of another actor during the intrusion. The campaign used victim-specific spreading utilities, administrative credentials, SMB brute forcing, WMI execution, VPN exploitation, Active Directory takeover, and network-wide ransomware staging, while later reporting framed VHD as part of DPRK-linked financially motivated ransomware experimentation.

6

Related Reports
1

Affected Countries
71

Months Since

Related Actors

Lazarus

Novetta

He is everywhere

Operation Blockbuster

First seen: 2016-02 • Last seen: 2026-06

Related Reports

2022-09-22

Trellix

The Sound of Malware

#Ransomware #VHD

2022-09-07

UN

S/2022/668 Midterm report of the Panel of Experts

#DreamJob #Kimsuky #Sanctions #Bluenoroff #NukeSped #Stonefly #VHD

2022-05-03

Trellix

The Hermit Kingdom’s Ransomware play

#APT38 #Ransomware #MATA #VHD

2020-10-19

Kaspersky

Deep dive into cybercrime-like APT attack of Lazarus group

#Ransomware #Slides #VHD #Lazarus

2020-07-28

Kaspersky

Lazarus on the hunt for big game

#Ransomware #MATA #VHD #Lazarus

2020-07-23

Redpacketsecurity

Dacls RAT’s goals are to steal customer data and spread ransomware

#Dacls #VHD