Headline
North Korean Hackers Targeting Small and Midsize Businesses with H0lyGh0st Ransomware
An emerging threat cluster originating from North Korea has been linked to developing and using ransomware in cyberattacks targeting small businesses since September 2021. The group, which calls itself H0lyGh0st after the ransomware payload of the same name, is being tracked by the Microsoft Threat Intelligence Center under the moniker DEV-0530, a designation assigned for unknown, emerging, or a
An emerging threat cluster originating from North Korea has been linked to developing and using ransomware in cyberattacks targeting small businesses since September 2021.
The group, which calls itself H0lyGh0st after the ransomware payload of the same name, is being tracked by the Microsoft Threat Intelligence Center under the moniker DEV-0530, a designation assigned for unknown, emerging, or a developing group of threat activity.
Targeted entities primarily include small-to-midsize businesses such as manufacturing organizations, banks, schools, and event and meeting planning companies.
“Along with their H0lyGh0st payload, DEV-0530 maintains an .onion site that the group uses to interact with their victims,” the researchers said in a Thursday analysis.
“The group’s standard methodology is to encrypt all files on the target device and use the file extension .h0lyenc, send the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange for restoring access to the files.”
Ransom amounts demanded by DEV-0530 range anywhere between 1.2 and 5 bitcoins, although an analysis of the attacker’s cryptocurrency wallet shows no successful ransom payments from its victims as of early July 2022.
DEV-0530 is believed to have connections with another North Korean-based group known as Plutonium (aka DarkSeoul or Andariel), a sub-group operating under the Lazarus umbrella (aka Zinc or Hidden Cobra).
The illicit scheme adopted by the threat actor is also known to take a leaf from the ransomware landscape, leveraging extortion tactics to apply pressure on victims into paying up or risk getting their information published on social media.
DEV-0530’s dark web portal claims it aims to “close the gap between the rich and poor” and “help the poor and starving people,” in a tactic that mirrors another ransomware family called GoodWill that compels victims into donating to social causes and providing financial assistance to people in need.
The technical breadcrumbs that tie the group to Andariel stem from overlaps in the infrastructure set as well as based on communications between email accounts controlled by the two attacker collectives, with DEV-0530 activity consistently observed during Korea Standard Time (UTC+09:00).
“Despite these similarities, differences in operational tempo, targeting, and tradecraft suggest DEV-0530 and Plutonium are distinct groups,” the researchers pointed out.
In a sign that suggests active development, four different variants of the H0lyGh0st ransomware were churned out between June 2021 and May 2022 to target Windows systems: BTLC_C.exe, HolyRS.exe, HolyLock.exe, and BLTC.exe.
While BTLC_C.exe (dubbed SiennaPurple) is written in C++, the other three versions (codenamed SiennaBlue) are programmed in Go, suggesting an attempt on the part of the adversary to develop cross-platform malware.
The newer strains also come with improvements to their core functionality, including string obfuscation and abilities to delete scheduled tasks and remove themselves from the infected machines.
The intrusions are said to have been facilitated through the exploitation of unpatched vulnerabilities in public-facing web applications and content management systems (e.g., CVE-2022-26352), leveraging the purchase to drop the ransomware payloads and exfiltrate sensitive data prior to encrypting the files.
The findings come a week after the U.S. cybersecurity, and intelligence agencies warned about the use of Maui ransomware by North Korean government-backed hackers to target the healthcare sector since at least May 2021.
The expansion from financial heists to ransomware is being viewed as yet another tactic sponsored by the North Korean government to offset losses from sanctions, natural disasters, and other economic setbacks.
But given the narrow set of victims than is typically associated with state-sponsored activity against cryptocurrency organizations, Microsoft theorized the attacks could be a side-hustle for the threat actors involved.
“It is equally possible that the North Korean government is not enabling or supporting these ransomware attacks,” the researchers said. “Individuals with ties to Plutonium infrastructure and tools could be moonlighting for personal gain. This moonlighting theory might explain the often-random selection of victims targeted by DEV-0530.”
The ransomware threat evolves in a post-Conti world
The development also comes as the ransomware landscape is evolving with existing and new ransomware groups, namely LockBit, Hive, Lilith, RedAlert (aka N13V), and 0mega, even as the Conti gang formally shuttered its operations in response to a massive leak of its internal chats.
Adding fuel to the fire, LockBit’s improved successor also comes with a brand new data leak site that allows any actor to purchase data stolen from victims, not to mention incorporating a search feature that makes it easier to surface sensitive information.
Other ransomware families have also added similar capabilities in an attempt to create searchable databases of information stolen during attacks. Notable among this list are PYSA, BlackCat (aka ALPHV), and the Conti offshoot known as Karakurt, according to a report from Bleeping Computer.
Based on statistics gathered by Digital Shadows, 705 organizations were named in ransomware data leak websites in the second quarter of 2022, marking a 21.1% increase from Q1 2022. The top ransomware families during the period included LockBit, Conti, BlackCat, Black Basta, and Vice Society.
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
Related news
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added 10 new actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, including a high-severity security flaw affecting industrial automation software from Delta Electronics. The issue, tracked as CVE-2021-38406 (CVSS score: 7.8), impacts DOPSoft 2 versions 2.00.07 and prior. A successful
By Owais Sultan Originating in North Korea, the Holy Ghost ransomware operation has preyed primarily on small businesses, but that doesn’t mean larger businesses can ignore it. This is a post from HackRead.com Read the original post: Lessons from the Holy Ghost Ransomware Attacks
An issue was discovered in the ContentResource API in dotCMS 3.0 through 22.02. Attackers can craft a multipart form request to post a file whose filename is not initially sanitized. This allows directory traversal, in which the file is saved outside of the intended storage location. If anonymous content creation is enabled, this allows an unauthenticated attacker to upload an executable file, such as a .jsp file, that can lead to remote code execution.