Pierluigi Paganini
July 15, 2022
The Microsoft Threat Intelligence Center (MSTIC) researchers linked the activity of the Holy Ghost ransomware (H0lyGh0st) operation to a North Korea-linked group they tracked as DEV-0530.
The Holy Ghost ransomware gang has been active since June 2021 and it conducted ransomware attacks against small businesses in multiple countries. The list of victims includes manufacturing organizations, banks, schools, and event and meeting planning companies.
MSTIC linked DEV-0530 to another North Korean-based group tracked as PLUTONIUM (aka DarkSeoul or Andariel). The researchers noticed that H0lyGh0st ransomware used custom tools created by the PLUTONIUM APT.
Like other operations, H0lyGh0st adopt a double extortion model threatening victims to publish their data in case they don’t pay the ransom. The group maintains an .onion site, which is used by the group to interact with their victims. The Holy Ghost ransomware appends the file extension .h0lyenc to filenames of encrypted files.
Microsoft researchers tracked the Holy Ghost ransomware as SiennaPurple (BTLC_C.exe), the experts noticed that early variants did not support many features compared to the most recent ones. Microsoft tracks the recent variants as SiennaBlue (HolyRS.exe, HolyLocker.exe, and BTLC.exe), unlike the older ones they are written in Go language. The HolyRS.exe was first detected in October 2021, HolyLocker.exe in March 2022 and BTLC.exe in April 2022.
The SiennaBlue variant evolved over time by implementing multiple encryption options, string obfuscation, public key management, and support for the internet and intranet.
The threat actors asked victims to pay a ransom from 1.2 to 5 Bitcoins, allowing a negotiation of the amount. The analysis of the attackers’ wallet transactions shows that they failed to extort ransom payments from their victims.
“Based on geopolitical observations by global experts on North Korean affairs and circumstantial observations, Microsoft analysts assess the use of ransomware by North Korea-based actors is likely motivated by two possible objectives. The first possibility is that the North Korean government sponsors this activity.” concludes Microsoft. “To offset the losses from these economic setbacks, the North Korean government could have sponsored cyber actors stealing from banks and cryptocurrency wallets for more than five years. If the North Korean government is ordering these ransomware attacks, then the attacks would be yet another tactic the government has enabled to offset financial losses.However, state-sponsored activity against cryptocurrency organizations has typically targeted a much broader set of victims than observed in DEV-0530 victimology. Because of this, it is equally possible that the North Korean government is not enabling or supporting these ransomware attacks. Individuals with ties to PLUTONIUM infrastructure and tools could be moonlighting for personal gain. This moonlighting theory might explain the often-random selection of victims targeted by DEV-0530.”
The report published by Microsoft also includes Indicators of compromise (IoCs) for this threat and recommendations to mitigate the threat.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Holy Ghost ransomware)
[adrotate banner=”5″]
[adrotate banner=”13″]
