Microsoft Threat Intelligence Center (MSTIC) researchers track a group of threat actors from North Korea that has been developing and using ransomware in attacks since June 2021. 

North Korean hackers use ransomware payloads with the same name for their campaigns and have successfully compromised small businesses in multiple countries within a year.

Microsoft Researchers have tracked the Holy Ghost ransomware gang as DEV-0530. 

Along with their H0lyGh0st payload, DEV-0530 maintains a .onion site that the group uses to interact with their victims. 

The group’s standard methodology is to encrypt all files on the target device and use the file extension .h0lyenc, send the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange for restoring access to the files. 

As part of their extortion tactics, they also threaten to publish victim data on social media or send the data to the victims’ customers if they refuse to pay. 

This group has been active for quite a while but it failed to gain financial success like other gangs even though they followed the same technique: double extortion combined with a leak site to publish the name of the victims and stolen data.

In a Microsoft report earlier today, they say that the first payload from this threat actor was seen last year in June.

More recent variants have additional features when compared to the earliest Holy Ghost ransomware. Microsoft calls this new variant SiennaBlue and so far these new variants have shown functionality including multiple encryption methods, string obfuscation, public key management, and remote access.

DEV-0530 managed to hack into the computers of various small-to-midsize businesses and caused them a variety of problems, ranging from theft of customer data to affect the organization’s efficiency.

Usually, the actors demanded a small payout between 1.2 to 5 bitcoins, or up to about $100,000 at the current exchange rate.

Even if the demands were not large, the attacker was willing to negotiate and sometimes lowered the price to less than a third of the initial demand, MSTIC says.

DEV-0530 exfiltrated the contents of victim hard drives and replaced all file names with BASE-64 encoded versions of the original file names. 

North Korea Link

Microsoft Threat Intelligence team assesses that DEV-0530 has connections with another North Korean-based group tracked as PLUTONIUM (aka DarkSeoul or Andariel). 

While the use of H0lyGh0st ransomware in campaigns is unique to DEV-0530, MSTIC has observed communications between the two groups, as well as DEV-0530 using tools created exclusively by PLUTONIUM.

PLUTONIUM is a North Korean hacker group, that’s active since at least 2014. They primarily attack energy and defense industries in India, South Korea, and the United States.

To further assess the origin of DEV-0530 operations, researchers observed that DEV-0530 activity is most common in UTC+8 and UTC+9 time zones. North Korea currently operates the UTC+9 time zone.