A previously unknown North Korean ransomware gang, HolyGhost, has been holding small to medium enterprises (SMEs) across the globe to ransom, new research suggests.
While the gang carries out familiar encryption and data exfiltration-led ransomware campaigns, its members profess to offer security services to their victims by informing them of weaknesses in their network. Despite this apparent ‘help’ for victims, a new report from Microsoft‘s security team (MSTIC) says its intentions are purely mercenary.
How does HolyGhost ransomware operate?
According to the Microsoft report, HolyGhost, also referred to as H0lyGh0st, has been active since September 2021, but has managed to remain under the radar because its victims are mainly small organisations such as schools, manufacturers and events companies. It also tends to demand a relatively small ransom, typically 1.2 to 1.5 Bitcoins, or $100,000 at the current exchange rate, per attack.
HolyGhost shows signs of acting in tandem with state-backed North Korean ransomware criminals, demanding ransoms to build up the nation’s economy. It seems to share resources with Plutonium, a gang which falls under the umbrella of the larger advanced persistent threat group Lazarus.
“MSTIC has observed both groups operating from the same infrastructure set, and even using custom malware controllers with similar names,” the report says.
What should businesses do about HolyGhost?
As with most ransomware gangs, good cyber hygiene is key to thwarting HolyGhost. Victims should be on the lookout for repeat attacks, as the gang has been known to reapproach those who have paid out before, says Brian Higgins, security specialist at Comparitech. “It’s often common for this kind of attack to rely on repeat business, so any victims should be looking for back-door exploits left behind to allow access to their networks,” he says.
Despite HolyGhost claiming it can offer assistance to victims to boost defences, Toby Lewis, global head of threat analysis at security company Darktrace, agrees with Microsoft’s assessment that it is highly like these attacks will be coordinated with the North Korean state.
“Some of the history associated with North Korean cybercrime has tended to be a direct reaction to economic sanctions and hardship within the country, and has often been suspected of being strongly linked to the state,” Lewis says. “Recognising the strict censorship programmes in place in North Korea, the ability to mount such an attack outside of the country’s own dedicated IP space would very likely require a degree of collusion with the state.”
HolyGhost and the North Korean ransomware network
The emergence of HolyGhost adds to the cyber threats emanating from North Korea. Its state-backed cyberattacks are often more financially motivated than those carried out on behalf of countries such as China and Russia, because it is thought the regime there uses stolen cryptocurrency to supplement its income.
Lazarus has been prolific in this respect. “The Lazarus Group has perpetrated several large cryptocurrency thefts totalling more than $2bn, and has recently turned its attention to DeFi services such as cross-chain bridges,” according to a report from security vendor Elliptic.
During a court case in the US last year against three North Korean Military hackers, the Department of Justice dubbed North Korean cybercriminals “the world’s leading bank robbers”. A statement from the DoJ said: “North Korea’s operatives, using keyboards rather than guns, are stealing digital wallets of cryptocurrency instead of sacks of cash.”
Speaking to Tech Monitor last year, Min Chao Choy, a data correspondent at NK News, said: “North Korea has called its cyber-capability an ‘all-purpose sword’. They use it for espionage, on a political level but also for industrial espionage. They use it for funds. They use it to threaten North Korean defectors living in South Korea. And I’m sure they have a lot more destructive capabilities that they haven’t displayed yet.”
Tech Monitor is hosting a roundtable in association with Intel vPro on how to integrate security into operations. For more information, visit NSMG.live.