The Microsoft Threat Intelligence Center (MSTIC) researchers linked the activity of the Holy Ghost ransomware (H0lyGh0st) operation to a North Korea-linked group they tracked as DEV-0530.
The ransomware group that has been active since June 2021 was attacking small businesses in various countries.
Microsoft tracks the newer variants as SiennaBlue (HolyRS.exe, HolyLocker.exe, and BTLC.exe) and notes that their functionality expanded over time to include multiple encryption options, string obfuscation, public key management, and internet/intranet support.
According to the researchers DEV-0530 managed to compromise several targets, mainly small-to-midsize businesses. The victims include banks, schools, manufacturing organizations, and event and meeting planning companies.
Holy Ghost actors followed the pattern of a typical ransomware attack and stole data before deploying the encryption routine on infected systems.
The actors demanded a small payout between 1.2 to 5 bitcoins, or up to about $100,000 at the current exchange rate. They were also willing to negotiate and sometimes lowered the price to less than a third of the initial demand.
The hackers are believed to be working for the Pyongyang regime for personal financial gain.
The connection with state-backed hacker groups is present, though, as MSTIC found communication between email accounts belonging to Holy Ghost and the Andariel, a threat actor part of the Lazarus Group under North Korea’s Reconnaissance General Bureau.
Both were also “operating from the same infrastructure set, and even using custom malware controllers with similar names.”
Holy Ghost’s website is down at the moment but the attacker used the little visibility it had to pose as a legitimate entity trying to help victims improve their security posture.
Holy Ghost assures victims that they would not sell or leak the stolen data if they get paid.
The report published by Microsoft also includes Indicators of compromise (IoCs) for this threat and recommendations to mitigate the threat.