Menu
Browse

Cyber Threat Actor: Min

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Criminal
North Korea
1 incident
Profile

Min andGap Ryong are the known aliases used by a threat actor that has been linked to North Korea. The actor’s location is identified as North Korea, and the available information points to a focus on Chinese governmental targets. In the observed incident, the actor sought financial gain through a ransomware operation that demanded payment in cryptocurrency. The targeting appears limited to district‑level government entities within China, with no evidence of broader sectoral involvement reported. The attack’s objective was explicitly to extort money from victims by encrypting their systems and requesting payment via Tor.

The actor’s typical tactics involve initial access through phishing emails that masquerade as urgent police notifications, delivering a compressed attachment that contains the GandCrab ransomware family. This method relies on social engineering to trick recipients into opening the malicious file, after which the ransomware encrypts the victim’s hard drive. Payment instructions are conveyed through Tor‑based services, reflecting a preference for anonymized cryptocurrency transactions. Attribution to North Korea remains suggestive rather than definitive, arising from the use of a Korean‑associated name in the attack infrastructure. The most notable publicly reported operation associated with this actor is the March 11 2019 ransomware campaign against a Chinese district government, which prompted nationwide warnings and highlighted an unusual case of crypto‑ransom demands aimed at state entities.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
0 sources