Microsoft this week sounded the alarm on a North Korean threat actor using the H0lyGh0st ransomware in attacks targeting small and midsize businesses worldwide.
The hackers, who call themselves H0lyGh0st and are tracked by Microsoft as DEV-0530, have been using ransomware since at least June 2021, and have successfully compromised numerous organizations since September 2021.
Similar to other ransomware gangs out there, the group engages in double extortion, threatening to release sensitive information stolen from victims unless a ransom is paid.
DEV-0530 appears connected to the North Korea-linked advanced persistent threat (APT) actor DarkSeoul (also known as Plutonium and Andariel), based on email communication and on DEV-0530’s use of tools exclusive to DarkSeoul, the Microsoft Threat Intelligence Center (MSTIC) explains.
DEV-0530 is a financially-motivated adversary that primarily uses ransomware to achieve its goals. The group attempts to legitimize its actions by claiming to help victims improve their security posture.
However, the threat actor also threatens to make victim data public on social media unless a ransom is paid. On their Tor website, the miscreants offer a contact form so that victims can get in touch with them.
According to Microsoft, the activities of DEV-0530 partially overlap with those of DarkSeoul, an APT famous for wreaking havoc in South Korea in 2013, and which was also observed targeting organizations in Europe and the United States.
“MSTIC has observed known DEV-0530 email accounts communicating with known PLUTONIUM attacker accounts. MSTIC has also observed both groups operating from the same infrastructure set, and even using custom malware controllers with similar names,” Microsoft says.
The tech giant also noticed that the threat actor’s activities are consistent with the UTC+9 time zone used in North Korea, but say that, despite similarities, DEV-0530 is a distinct group from DarkSeoul.
Microsoft says that North Korean threat actors’ use of ransomware might be sanctioned by the country’s government, to offset economic setbacks caused by the COVID-19 lockdown. However, it is equally possible that the adversary is using ransomware for personal gain, which could explain an “often-random selection of victims.”
The H0lyGh0st ransomware is formed of two malware families, namely SiennaPurple (a BLTC_C variant written in C++) and SiennaBlue (HolyRS, HolyLock, and BLTC, all written in Go), both of which have been used in DEV-0530 attacks targeting Windows systems.
In June 2021, the threat actor was seen using the SiennaPurple family, which needs to be executed with administrative privileges on the target system. Between October 2021 and May 2022, the adversary used the Go-coded SiennaBlue ransomware variants. Since April 2022, DEV-0530 has been using the BTLC ransomware variant.
According to the tech giant, in November 2021 DEV-0530 successfully compromised several small-to-midsized businesses in the manufacturing, finance, education, and event and meeting planning sectors in multiple countries. Likely opportunistic, the attacks exploited vulnerabilities such as CVE-2022-26352 on public-facing web assets for initial access.
Following successful compromise, the attackers would exfiltrate “a full copy of the victims’ files” and then move to encrypt the contents on the system, appending the .h0lyenc extension to impacted files. In addition to dropping a ransom note, the attackers emailed the victim to inform them that their data was stolen and encrypted by H0lyGh0st.
“Based on our investigation, the attackers frequently asked victims for anywhere from 1.2 to 5 Bitcoins. However, the attackers were usually willing to negotiate and, in some cases, lowered the price to less than one-third of the initial asking price. As of early July 2022, a review of the attackers’ wallet transactions shows that they have not successfully extorted ransom payments from their victims,” Microsoft notes.
Related: US: North Korean Hackers Targeting Healthcare Sector With Maui Ransomware
Related: North Korean Hackers Targeting IT Supply Chain: Kaspersky
Related: North Korean Hackers Operate VHD Ransomware, Kaspersky Says