North Korean Hackers Target Small and Midsize Businesses with H0lyGh0st Ransomware

North Korean Hackers Target Small and Midsize Businesses with H0lyGh0st Ransomware

Since September 2021, a newly emerged threat group that is believed to have originated in North Korea has been connected to the creation and use of ransomware in the context of cyberattacks directed against small businesses.


The group, which calls itself H0lyGh0st after the ransomware payload of the same name, is being tracked by the Microsoft Threat Intelligence Center under the moniker DEV-0530, which is a designation assigned for an unknown, emerging, or developing group of threat activity. H0lyGh0st takes its name from the ransomware payload of the same name.


The majority of the entities that are being targeted are either small or medium-sized businesses. Some examples of these types of businesses include manufacturing organizations, banks, schools, and event and meeting planning companies.


The researchers stated in their analysis that was published on Thursday that "along with their H0lyGh0st payload, DEV-0530 maintains an.onion site that the group uses to interact with their victims."


"The standard procedure followed by the organization is to encrypt each and every file located on the target device while making use of the file extension.


h0lyenc, then send the victim a sample of the files to use as proof, and then demand payment in Bitcoin in exchange for restoring access to the files. h0lyenc can be used in a variety of malicious contexts."


The ransom amounts demanded by DEV-0530 range anywhere from 1.2 bitcoins to 5 bitcoins, but an analysis of the attacker's cryptocurrency wallet shows that none of the victims have successfully paid the ransom as of the beginning of July 2022.


It is believed that DEV-0530 is affiliated with a different North Korean-based organization called Plutonium, also known as DarkSeoul or Andariel. Plutonium is a sub-group that operates under the larger Lazarus umbrella (aka Zinc or Hidden Cobra).


It is well known that the illicit scheme that was implemented by the threat actor took a page from the playbook that was used by ransomware. This playbook included the utilization of extortion strategies to apply pressure on victims into paying up or risking having their information published on social media.


The dark web portal for DEV-0530 makes the claim that it wants to "close the gap between the rich and poor" and "help the poor and starving people." This is a strategy that is similar to that used by another ransomware family known as GoodWill, which coerces victims into donating to charitable causes and providing financial assistance to those who are in need.


North Korean Hackers Target Small and Midsize Businesses with H0lyGh0st Ransomware


The technical breadcrumbs that link the group to Andariel stem from overlaps in the infrastructure set as well as based on communications between email accounts controlled by the two attacker collectives, with activity associated with DEV-0530 being consistently observed during Korea Standard Time (UTC+09:00).



The researchers pointed out that despite these similarities, there are differences in the operational tempo, targeting, and tradecraft between the two groups, which suggests that DEV-0530 and Plutonium are separate groups.




BTLC C.exe, HolyRS.exe, HolyLock.exe, and BLTC.exe are the four different variants of the H0lyGh0st ransomware that were developed to target Windows systems between June 2021 and May 2022. This is an indication that ransomware is still actively being developed.




Although BTLC C.exe (also known as SiennaPurple) is written in C++, the other three versions (which have been given the codename SiennaBlue) are programmed in Go. This suggests that the adversary is attempting to develop malware that is compatible with multiple operating systems.


North Korean Hackers Target Small and Midsize Businesses with H0lyGh0st Ransomware



The more recent strains also include enhancements to their fundamental functionality, such as the capacity to obfuscate strings and the ability to delete scheduled tasks and remove themselves from infected machines.


It is believed that the intrusions were made possible by exploiting unpatched vulnerabilities in public-facing web applications and content management systems (for example, CVE-2022-26352). This allowed the hackers to leverage the purchase to drop ransomware payloads and exfiltrate sensitive data before encrypting the files.




The findings come about a week after U.S. cybersecurity and intelligence agencies issued a warning about the use of the Maui ransomware by hackers supported by the North Korean government to target the healthcare sector from at least May 2021 onward.




It is believed that the North Korean government is behind the expansion of financial heists into ransomware as yet another strategy to compensate for financial losses brought on by sanctions, natural disasters, and other types of economic setbacks.




Microsoft theorized that the attacks could be a side hustle for the threat actors involved due to the limited number of victims, which is not typically associated with state-sponsored activity against cryptocurrency organizations. State-sponsored activity typically targets larger organizations.




According to the researchers, "it is equally possible that the North Korean government is not enabling or supporting these ransomware attacks." [Citation needed] "People who have connections to the Plutonium infrastructure and tools might be working a second job for their own financial gain. This moonlighting theory could provide an explanation for the seemingly arbitrary choice of victims that DEV-0530 goes after."




In a world after Conti, the danger posed by ransomware continues to develop.


The news comes at a time when the landscape of ransomware is undergoing change, with new and existing ransomware groups emerging, such as LockBit, Hive, Lilith, RedAlert (aka N13V), and 0mega. This is happening at the same time that the Conti gang has formally shut down its operations in response to a massive leak of its internal chats.




LockBit's improved successor also comes with a brand new data leak site that enables any actor to purchase data plundered from victims. In addition to this, it incorporates a search feature that makes it easier to surface sensitive information, which adds fuel to the fire. LockBit's improved successor also comes with a brand new data leak site.




Other families of ransomware have also incorporated similar capabilities in an effort to create information databases that are searchable after they have been compromised by an attack. According to a report from Bleeping Computer, some of the more notable names on this list include PYSA, BlackCat (aka ALPHV), and Karakurt, which is an offshoot of the Conti family.



According to the data collected by Digital Shadows, there was a 21.1 percent increase from the first quarter of 2022 to the second quarter of 2022 in the number of organizations that were named in ransomware data leak websites. In total, there were 705. The LockBit, Conti, BlackCat, Black Basta, and Vice Society ransomware families were the most prominent ones during the time period in question.

0 Comments

Your suggestions and comments are welcome

Post a Comment

Your suggestions and comments are welcome

Post a Comment (0)

Previous Post Next Post