North Korean actors using H0lyGh0st ransomware to target small, midsize bizs: Microsoft

A group of North Korea-based threat actors - which calls itself H0lyGh0st - is using a ransomware payload with the same name for its campaigns and has successfully compromised small businesses in multiple countries as early as September 2021, the Microsoft Threat Intelligence Center (MSTIC) said on Thursday.

Tracked as DEV-0530 by MSTIC, the group maintains an .onion site and uses it to interact with their victims. According to MSTIC, the group's standard methodology is to encrypt all files on the target device and use the file extension .h0lyenc, send the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange for restoring access to the files.

As part of their extortion tactics, they also threaten to publish victim data on social media or send the data to the victims’ customers if they refuse to pay.

While the use of H0lyGh0st ransomware in campaigns is unique to DEV-0530, MSTIC has found its connections with another North Korean-based group tracked as PLUTONIUM (aka DarkSeoul or Andariel). MSTIC has observed communications between the two groups, as well as DEV-0530 using tools created exclusively by PLUTONIUM.

PLUTONIUM is active since at least 2014 and has primarily targeted the energy and defense industries in India, South Korea, and the United States using a variety of tactics and techniques.

MSTIC observed that DEV-0530 successfully compromised several targets in multiple countries using HolyRS.exe in November 2021. A review of the victims showed they were primarily small-to-midsized businesses, including manufacturing organizations, banks, schools, and event and meeting planning companies. To date, MSTIC has not observed DEV-0530 using any 0-day exploits in their attacks, according to the Microsoft security researchers.

The techniques used by DEV-0530 in H0lyGh0st activity can be mitigated by using the included IOCs to investigate whether they exist in your environment and assess for potential intrusion. Microsoft recommends all organizations to proactively implement and frequently validate a data backup and restore plan as part of broader protection against ransomware and extortion threats. More information can be found here.