Security Experts:

Connect with us

Hi, what are you looking for?



Microsoft: North Korean Hackers Target SMBs With H0lyGh0st Ransomware

Microsoft this week sounded the alarm on a North Korean threat actor using the H0lyGh0st ransomware in attacks targeting small and midsize businesses worldwide.

Microsoft this week sounded the alarm on a North Korean threat actor using the H0lyGh0st ransomware in attacks targeting small and midsize businesses worldwide.

The hackers, who call themselves H0lyGh0st and are tracked by Microsoft as DEV-0530, have been using ransomware since at least June 2021, and have successfully compromised numerous organizations since September 2021.

Similar to other ransomware gangs out there, the group engages in double extortion, threatening to release sensitive information stolen from victims unless a ransom is paid.

DEV-0530 appears connected to the North Korea-linked advanced persistent threat (APT) actor DarkSeoul (also known as Plutonium and Andariel), based on email communication and on DEV-0530’s use of tools exclusive to DarkSeoul, the Microsoft Threat Intelligence Center (MSTIC) explains.

DEV-0530 is a financially-motivated adversary that primarily uses ransomware to achieve its goals. The group attempts to legitimize its actions by claiming to help victims improve their security posture.

However, the threat actor also threatens to make victim data public on social media unless a ransom is paid. On their Tor website, the miscreants offer a contact form so that victims can get in touch with them.

According to Microsoft, the activities of DEV-0530 partially overlap with those of DarkSeoul, an APT famous for wreaking havoc in South Korea in 2013, and which was also observed targeting organizations in Europe and the United States.

“MSTIC has observed known DEV-0530 email accounts communicating with known PLUTONIUM attacker accounts. MSTIC has also observed both groups operating from the same infrastructure set, and even using custom malware controllers with similar names,” Microsoft says.

The tech giant also noticed that the threat actor’s activities are consistent with the UTC+9 time zone used in North Korea, but say that, despite similarities, DEV-0530 is a distinct group from DarkSeoul.

Microsoft says that North Korean threat actors’ use of ransomware might be sanctioned by the country’s government, to offset economic setbacks caused by the COVID-19 lockdown. However, it is equally possible that the adversary is using ransomware for personal gain, which could explain an “often-random selection of victims.”

The H0lyGh0st ransomware is formed of two malware families, namely SiennaPurple (a BLTC_C variant written in C++) and SiennaBlue (HolyRS, HolyLock, and BLTC, all written in Go), both of which have been used in DEV-0530 attacks targeting Windows systems.

In June 2021, the threat actor was seen using the SiennaPurple family, which needs to be executed with administrative privileges on the target system. Between October 2021 and May 2022, the adversary used the Go-coded SiennaBlue ransomware variants. Since April 2022, DEV-0530 has been using the BTLC ransomware variant.

According to the tech giant, in November 2021 DEV-0530 successfully compromised several small-to-midsized businesses in the manufacturing, finance, education, and event and meeting planning sectors in multiple countries. Likely opportunistic, the attacks exploited vulnerabilities such as CVE-2022-26352 on public-facing web assets for initial access.

Following successful compromise, the attackers would exfiltrate “a full copy of the victims’ files” and then move to encrypt the contents on the system, appending the .h0lyenc extension to impacted files. In addition to dropping a ransom note, the attackers emailed the victim to inform them that their data was stolen and encrypted by H0lyGh0st.

“Based on our investigation, the attackers frequently asked victims for anywhere from 1.2 to 5 Bitcoins. However, the attackers were usually willing to negotiate and, in some cases, lowered the price to less than one-third of the initial asking price. As of early July 2022, a review of the attackers’ wallet transactions shows that they have not successfully extorted ransom payments from their victims,” Microsoft notes.

Related: US: North Korean Hackers Targeting Healthcare Sector With Maui Ransomware

Related: North Korean Hackers Targeting IT Supply Chain: Kaspersky

Related: North Korean Hackers Operate VHD Ransomware, Kaspersky Says

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...