North Korean state-sponsored hackers are implicated in a custom ransomware strain targeting wealthy companies, researchers from cybersecurity firm Kaspersky Labs said in a report published on Tuesday. If true, the series of attacks follow a larger cybercrime trend of ransomware-deploying groups pivoting from indiscriminate attacks with low payouts to more laborious, high-reward target operations going after wealthy organizations.

Kaspersky attributed a new strain of ransomware called VHD to the Lazarus Group, a constellation of hackers working on behalf of Pyongyang. Kaspersky found similar Tactics, Techniques, and Procedures (TTP) seen in previous Lazarus operations, as well as the use of Lazarus-linked MATA malware to install VHD onto victim computers.