The Microsoft Threat Intelligence Center discovered the connection between the Holy Ghost ransomware and the North Korean hackers behind it.
The Holy Ghost ransomware cyberattack has been going on for quite some time now.
Holy Ghost is the name of a ransomware operation that has been carried out by hackers from North Korea for more than a year, targeting small businesses in different countries.
The group of malicious threat actors has been targeting small businesses and ransoming those businesses into paying them a decent amount in bitcoin.
Microsoft Unpacks 'Holy Ghost' Ransomware
Microsoft reveals that since June 2021 they have been tracking a group of attackers called DEV-0530 that originates from North Korea. They are responsible for the development and use of ransomware in attacks.
This organization, which calls itself H0lyGh0st, uses a ransomware payload with the same name for its campaigns. As early as September 2021, they were successful in compromising small enterprises in a variety of different countries.
According to MSTIC's assessment, DEV-0530 is affiliated with another group operating out of North Korea identified as PLUTONIUM, also known as DarkSeoul or Andariel.
Microsoft stated, "While the use of H0lyGh0st ransomware in campaigns is unique to DEV-0530, MSTIC has observed communications between the two groups, as well as DEV-0530 using tools created exclusively by PLUTONIUM."
According to the security researchers, victims are most likely targets of opportunity.
MSTIC has a strong suspicion that DEV-0530 gained initial access to target networks by exploiting vulnerabilities in public-facing web applications and content management systems.
The victims included financial institutions, educational institutions, manufacturing enterprises, and events and planning businesses.
Holy Ghost's Methods and Techniques
The Holy Group ransomware has been around since last year. However, the group was not able to achieve the same level of notoriety or financial success as those other gangs, despite the fact that it has been active for quite some time.
In addition, it has also been discovered that the Holy Ghost follows the same process and operation just like the other ransomware gangs, stealing data before deploying the encryption process to the infected outlets.
According to BleepingComputer, the hackers placed a ransom note on the hacked computer, and they also sent an email to the victim with a link to a sample of the stolen material in order to indicate that they were open to negotiating a payment in exchange for the decryption key.
In most cases, the actors asked for a modest sum of between 1.2 and 5 bitcoins, which is equivalent to approximately $100,000 given the current exchange rate.
According to MSTIC, the attacker was willing to negotiate, even if the demands were not particularly high. As a result, the price was occasionally reduced to less than a third of what was initially demanded.
North Korea's Ransomware Attacks
Microsoft diagnosed a few reasons for the continued cyberattacks and rampant ransomware tactics deployed by threat actors from North Korea.
The company thinks that there is a significant possibility that the series of hacks is being supported by the North Korean government.
Since 2016, the already fragile economy of North Korea has been even more fragile as a result of sanctions, natural catastrophes, drought, and COVID-19, which has isolated the country from the rest of the world beginning in early 2020.
However, on the contrary, it is also very possible that the North Korean government has nothing to do with these hacks. According to another theory, people who have connections to the PLUTONIUM infrastructure and tools can be working side jobs for their own financial gain.