North Korean Hackers Targeting Small and Midsize Businesses with H0lyGh0st Ransomware

An emerging threat cluster originating from North Korea has been
linked to developing and using ransomware in cyberattacks targeting
small businesses since September 2021.

The group, which calls itself H0lyGh0st after the ransomware
payload of the same name, is being tracked by the Microsoft Threat
Intelligence Center under the moniker DEV-0530, a designation
assigned for unknown, emerging, or a developing group of threat
activity.

Targeted entities primarily include small-to-midsize businesses
such as manufacturing organizations, banks, schools, and event and
meeting planning companies.

“Along with their H0lyGh0st payload, DEV-0530 maintains an
.onion site that the group uses to interact with their victims,”
the researchers said^[1]
in a Thursday analysis.

“The group’s standard methodology is to encrypt all files on the
target device and use the file extension .h0lyenc, send the victim
a sample of the files as proof, and then demand payment in Bitcoin
in exchange for restoring access to the files.”

Ransom amounts demanded by DEV-0530 range anywhere between 1.2
and 5 bitcoins, although an analysis of the attacker’s
cryptocurrency wallet shows no successful ransom payments from its
victims as of early July 2022.

DEV-0530 is believed to have connections with another North
Korean-based group known as Plutonium^[2]
(aka DarkSeoul or Andariel), a sub-group operating under the
Lazarus umbrella (aka Zinc or Hidden Cobra).

The illicit scheme adopted by the threat actor is also known to
take a leaf from the ransomware landscape, leveraging extortion
tactics to apply pressure on victims into paying up or risk getting
their information published on social media.

DEV-0530’s dark web portal claims it aims to “close the gap
between the rich and poor” and “help the poor and starving people,”
in a tactic that mirrors another ransomware family called GoodWill^[3]
that compels victims into donating to social causes and providing
financial assistance to people in need.

The technical breadcrumbs that tie the group to Andariel stem
from overlaps in the infrastructure set as well as based on
communications between email accounts controlled by the two
attacker collectives, with DEV-0530 activity consistently observed
during Korea Standard Time (UTC+09:00).

“Despite these similarities, differences in operational tempo,
targeting, and tradecraft suggest DEV-0530 and Plutonium are
distinct groups,” the researchers pointed out.

In a sign that suggests active development, four different
variants of the H0lyGh0st ransomware were churned out between June
2021 and May 2022 to target Windows systems: BTLC_C.exe,
HolyRS.exe, HolyLock.exe, and BLTC.exe.

While BTLC_C.exe (dubbed SiennaPurple) is written in C++, the
other three versions (codenamed SiennaBlue) are programmed in Go,
suggesting an attempt on the part of the adversary to develop
cross-platform malware.

The newer strains also come with improvements to their core
functionality, including string obfuscation and abilities to delete
scheduled tasks and remove themselves from the infected
machines.

The intrusions are said to have been facilitated through the
exploitation of unpatched vulnerabilities in public-facing web
applications and content management systems (e.g., CVE-2022-26352^[4]), leveraging the
purchase to drop the ransomware payloads and exfiltrate sensitive
data prior to encrypting the files.

The findings come a week after the U.S. cybersecurity, and
intelligence agencies warned about the use of Maui ransomware^[5]
by North Korean government-backed hackers to target the healthcare
sector since at least May 2021.

The expansion from financial heists to ransomware is being
viewed as yet another tactic sponsored by the North Korean
government to offset losses from sanctions, natural disasters, and
other economic setbacks.

But given the narrow set of victims than is typically associated
with state-sponsored activity against cryptocurrency organizations,
Microsoft theorized the attacks could be a side-hustle for the
threat actors involved.

“It is equally possible that the North Korean government is not
enabling or supporting these ransomware attacks,” the researchers
said. “Individuals with ties to Plutonium infrastructure and tools
could be moonlighting for personal gain. This moonlighting theory
might explain the often-random selection of victims targeted by
DEV-0530.”

The ransomware threat evolves in a post-Conti world

The development also comes as the ransomware landscape is
evolving with existing and new ransomware groups, namely LockBit,
Hive^[6], Lilith, RedAlert (aka
N13V), and 0mega, even as the Conti gang formally shuttered its
operations in response to a massive leak^[7]
of its internal chats.

Adding fuel to the fire, LockBit’s improved successor^[8]
also comes with a brand new data leak site that allows any actor to
purchase data stolen from victims, not to mention incorporating a
search feature that makes it easier to surface sensitive
information.

Other ransomware families have also added similar capabilities
in an attempt to create searchable databases of information stolen
during attacks. Notable among this list are PYSA, BlackCat^[9]
(aka ALPHV), and the Conti offshoot known as Karakurt, according to
a report from Bleeping Computer^[10].

Based on statistics gathered by Digital Shadows^[11], 705 organizations were
named in ransomware data leak websites in the second quarter of
2022, marking a 21.1% increase from Q1 2022. The top ransomware
families during the period included LockBit, Conti, BlackCat,
Black Basta^[12], and Vice Society^[13].