Researchers from Microsoft’s Threat Intelligence Center (MSTIC) this week claimed that the North Korean hackers are employing the H0lyGh0st ransomware to target small and midsize businesses worldwide.
The hacking group, which calls itself H0lyGh0st and is tracked by Microsoft as DEV-0530, has been employing ransomware since at least June 2021 and has successfully exploited multiple businesses since September 2021.
The activities of DEV-0530 are similar to other ransomware gangs out there. The group engages in double extortion, threatening to publish personal data stolen from victims unless a ransom is paid.
In recent years, North Korean hackers have siphoned hundreds of millions of dollars from foreign businesses to help their country which is struggling economically due to the U.S. sanctions and the COVID-19 pandemic. However, it is equally possible that the hackers are employing ransomware for personal gain, which could explain an “often-random selection of victims.”
According to Microsoft, the activities of DEV-0530 are partially linked to a group known as Plutonium (also known as DarkSeoul or Andariel). Both groups have been spotted operating from the same infrastructure, employing custom malware controllers with similar names, and emailing accounts belonging to each other.
“MSTIC has observed known DEV-0530 email accounts communicating with known PLUTONIUM attacker accounts. MSTIC has also observed both groups operating from the same infrastructure set, and even using custom malware controllers with similar names,” Microsoft says.
The researchers also identified that the hacker’s activities are consistent with the UTC+9 time zone employed in North Korea.
DEV-0530’s first malicious payload was spotted in June last year, BLTC_C.exe, which was classified as SiennaPurple, despite its lack of complexity compared to other variants in the same ransomware family. More powerful derivatives of the malware were released later, between October 2021 and May 2022, and were based on the Go programming language.
In November 2021 DEV-0530 successfully exploited several small-to-midsized businesses in the manufacturing, finance, education, and event and meeting planning sectors in multiple nations. Likely opportunistic, the attacks exploited vulnerabilities such as CVE-2022-26352 on public-facing web assets for initial access.
Subsequently, the hackers would steal “a full copy of the victims’ files” and then shift to encrypt the contents on the system, appending the .h0lyenc extension to impacted files. In addition to dropping a ransom note, the attackers emailed the victim to inform them that their data was stolen and encrypted by H0lyGh0st.
“Based on our investigation, the attackers frequently asked victims for anywhere from 1.2 to 5 Bitcoins. However, the attackers were usually willing to negotiate and, in some cases, lowered the price to less than one-third of the initial asking price. As of early July 2022, a review of the attackers’ wallet transactions shows that they have not successfully extorted ransom payments from their victims,” Microsoft researchers explained.