North Korean hackers have been operating HolyGhost, a ransomware operation that targets small businesses worldwide, for more than a year.
Even while the operation followed the same recipe—double extortion mixed with a leak site to expose the names of the victims and stolen data—the group, which has been active for a while, has not been able to achieve the notoriety and financial success of other gangs.
Attacks made on occasion and minimal demands
The Holy Ghost ransomware group is being tracked by researchers at Microsoft Threat Intelligence Center (MSTIC) as DEV-0530. According to a report published earlier today, the threat actor’s initial payload was observed in June of last year.
The early SiennaPurple (BTLC C.exe)-classified Holy Ghost ransomware strain has less features than the later Go-based versions, which first appeared in October 2021.
The more recent versions—HolyRS.exe, HolyLocker.exe, and BTLC.exe—are tracked by Microsoft as SiennaBlue, and the company adds that their functionality has grown over time to include numerous encryption methods, string obfuscation, public key management, and internet/intranet capabilities.
According to the researchers, DEV-0530 was successful in breaching a number of targets, primarily small-to-midsize organizations. Banks, schools, manufacturing companies, and event and meeting organizing firms were among the casualties.
According to victimology, these victims are almost certainly targets of opportunity. In order to acquire initial access into target networks, MSTIC speculates that DEV-0530 may have taken advantage of vulnerabilities like CVE-2022-26352 (DotCMS remote code execution vulnerability) on publicly accessible web applications and content management systems. Threat Intelligence Center for Microsoft
As in a normal ransomware attack, Holy Ghost actors first grabbed data from compromised systems before encrypting them.
The hacker informed the victim via email and a link to a sample of the stolen material that they were willing to negotiate a ransom in exchange for the decryption key. The attacker also placed a ransom note on the infected computer.
The actors often asked for a modest payment of between 1.2 and 5 bitcoins, or up to around $100,000 at the current exchange rate.
Even if the demands were modest, the assailant was open to discussion and occasionally dropped the amount to less than a third of the original demand, according to MSTIC.
North Korea connection
This fact, along with the rarity of the attacks and the victims’ random selection, supports the idea that the Holy Ghost ransomware operation may not be under the supervision of the North Korean government.
Instead, it’s possible that hackers working for the Pyongyang dictatorship are carrying out this activity on their own, for financial gain.
However, MSTIC discovered correspondence between Holy Ghost email accounts and the Andariel, a threat actor working for the Lazarus Group under the North Korean Reconnaissance General Bureau. This indicates that there is still a relationship with state-backed hacker organizations.
The fact that both were “working from the same infrastructure set, and even utilizing custom malware controllers with similar names,” the researchers claim, strengthens the connection between the two groups.
assuming to be benevolent
Holy Ghost’s website is now unavailable, but the attacker took advantage of the limited visibility it had to pretend to be a trustworthy organization looking to assist victims in strengthening their security.
Additionally, they claim that their actions are motivated by a desire to “narrow the wealth gap” and “assist the impoverished and starving people.”
Holy Ghost promises victims that if they are paid, unlike other ransomware operators, they will not sell or release the stolen data.
In addition to several symptoms of compromise found when examining the virus, Microsoft’s report contains a list of suggestions for preventing infections with Holy Ghost payloads.
