A group of threat actors from North Korea have been targeting small and midsize businesses (SMBs) with ransomware since June 2021.
The group, which calls itself H0lyGh0st and is tracked by Microsoft as DEV-0530, successfully compromised small businesses in multiple countries as early as September 2021 - however, a review of the attackers’ wallet transactions from early July shows that they have not yet successfully extorted ransom payments from victims. The group used common ransomware tactics during its attacks, maintaining an .onion site to interact with victims, encrypting files on target devices with the file extension .h0lyenc and demanding a ransom payment of anywhere from 1.2 to 5 bitcoins. The actors also leveraged multiple extortion tactics, threatening to publish victim data on social media or send it to their customers if targets do not pay.
“A review of the victims showed they were primarily small-to-midsized businesses, including manufacturing organizations, banks, schools, and event and meeting planning companies,” said researchers with Microsoft in a Thursday analysis. “The victimology indicates that these victims are most likely targets of opportunity.”
The H0lyGh0st ransomware was observed between June 2021 and May 2022 classified under two malware samples - SiennaPurple, which was first seen in June and was written in C++, and SiennaBlue, observed between October and May and written in Go. SiennaBlue had an expanded set of capabilities, including string obfuscation, public key management and various encryption options. The latter variant was used to successfully compromise several targets in multiple countries in November. For initial access, researchers suspected that the threat actors may have exploited known flaws on public-facing web applications and content management systems, such as a remote code execution vulnerability in DotCMS (CVE-2022-26352), rather than relying on zero-day exploits.
H0lyGh0st is another ransomware family reported in recent weeks coming out of North Korea, with CISA earlier in July warning that North Korea-backed actors have used a custom ransomware variant called Maui to target healthcare organizations. While North Korea-backed APT cyber strategies have been recently been focused on targeting blockchain and cryptocurrency organizations to siphon funds, North Korean threat actors are no stranger to ransomware, as seen with the high-profile 2017 WannaCry ransomware attack.
Microsoft researchers assessed that the North Korean government may be sponsoring this more recent ransomware activity to offset losses from economic setbacks brought on by the pandemic, sanctions and more.
“However, state-sponsored activity against cryptocurrency organizations has typically targeted a much broader set of victims than observed in DEV-0530 victimology," said researchers. "Because of this, it is equally possible that the North Korean government is not enabling or supporting these ransomware attacks."
Researchers also uncovered a “likely” overlap between H0lyGh0st and North Korean threat actor group Plutonium, which has been active since 2014 and has targeted the energy and defense industries in India, South Korea and the U.S. Email accounts associated with DEV-0530 were communicating with known Plutonium attacker accounts, and researchers also observed the two groups operating from the same infrastructure set and using custom controllers with the same names. However, they also pointed to distinct differences in targeting and tradecraft between the two groups.
With this connection in mind, “individuals with ties to Plutonium infrastructure and tools could be moonlighting for personal gain,” researchers said. “This moonlighting theory might explain the often-random selection of victims targeted by DEV-0530.”