Multiple ransomware strains have been associated with the North Korea-supported hacking group APT38. The group, which is considered a subgroup of the infamous Lazarus group, targets and steals funds from financial institutions globally.

What has happened?

A threat researcher from Trellix claimed that APT38 operators (aka Unit 180 of North Korea) have used Beaf, ZZZZ, ChiChi, and PXJ ransomware strains to extort some of their victims.
  • Three families (ZZZZ, PKJ, and Beaf) share a significant amount of code with VHD source code, which has already been associated with the Lazarus APT group.
  • While Tflower and ChiChi share some code with VHD, the overlap was for more generic functions instead of typical shared code and features.
  • The researchers observed two strains being deployed on victims' networks using the cross-platform MATA malware framework, a malicious tool exclusively used by Lazarus operators.

More similarities 

  • Based on code visualization using Hilbert curve mapping, it was discovered that Beaf, ZZZZ, and PXJ share source code and features with TFlower and VHD ransomware. 
  • Additionally, Beaf and ZZZZ are clones of each other.
  • ChiChi's codebase has almost no common points, however, a common email address (e.g. Semenov[.]akkim@protonmail[.]com) was being used by both ZZZZ and ChiChi in their ransom notes.

Cyberattacks using these ransomware families only targeted businesses in the APAC region, making it harder to find the victims' names since there were no leak sites or negotiation chats.

Additional insights

Researchers tried to find out additional links by examining the cryptocurrency transfers behind ransom payments. However, they found no overlap in the crypto wallets for the collection of the ransom.
  • The North Korean attackers were discovered collecting only small amounts of crypto assets. For example, a 2.2 BTC transfer happened in mid-2020 and was worth approx $20,000.
  • Further, both Tflower and ChiChi are extensively different in comparison to VHD ransomware.


Researchers have attributed these ransomware strains to DPRK-affiliated hackers with high confidence. This further shows the growing interest of North Korean hackers in using ransomware to extort money. Thus, organizations should stay protected by using reliable anti-malware solutions.

Cyware Publisher