Holy Ghost, a lesser-known ransomware (opens in new tab) operator, is most likely being managed by North Korean hackers, Microsoft has said.
The company’s Threat Intelligence Center (MSTIC) has been tracking the malware (opens in new tab) variant for more than a year now, and has found multiple evidence pointing to North Koreans being behind the operation.
Although the group seems to be linked to the country’s government, it appears as if it’s not on payroll, but rather a financially motivated group that sometimes co-operates with the government.
Typical MO
MSTIC says the group has operated for quite some time now, but failed to become as big or as popular as other major players, such as BlackCat, REvil, or others.
It has the same modus operandi: find a flaw in the target’s systems (Microsoft spotted the group abusing CVE-2022-26352), move laterally across the network, mapping all of the endpoints, exfiltrate sensitive data, deploy ransomware (earlier, the group used SiennaPurple variant, later switched to an upgraded SiennaBlue version), and then demand a ransom payment in exchange for the decryption key and a promise that the data won’t be leaked/sold on the black market.
The group would usually target banks, schools, manufacturing organizations, and event management firms.
As for payment, the group would demand anywhere between 1.2 and 5 bitcoins, which is approximately $30,000 – $100,000, at today’s prices. However, even though these demands are relatively small, compared to other ransomware operators, Holy Ghost was still willing to negotiate and reduce the price even further, sometimes getting just a third of what it initially asked for.
Even though the things like attack frequency, or choice of target, made researchers think Holy Ghost is not a state-sponsored actor, there are some connections to the government. Microsoft found the group communicating with the Lazarus Group, which is a known state-sponsored actor. What’s more, both groups were “operating from the same infrastructure set, and even using custom malware controllers with similar names.”
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba