Microsoft links Holy Ghost ransomware operation to North Korean hackers
They’re not state-sponsored, but are linked to the government
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Holy Ghost, a lesser-knownransomwareoperator, is most likely being managed by North Korean hackers,Microsofthas said.
The company’s Threat Intelligence Center (MSTIC) has been tracking themalwarevariant for more than a year now, and has found multiple evidence pointing to North Koreans being behind the operation.
Although the group seems to be linked to the country’s government, it appears as if it’s not on payroll, but rather a financially motivated group that sometimes co-operates with the government.
Typical MO
MSTIC says the group has operated for quite some time now, but failed to become as big or as popular as other major players, such as BlackCat, REvil, or others.
It has the same modus operandi: find a flaw in the target’s systems (Microsoft spotted the group abusing CVE-2022-26352), move laterally across the network, mapping all of the endpoints, exfiltrate sensitive data, deploy ransomware (earlier, the group used SiennaPurple variant, later switched to an upgraded SiennaBlue version), and then demand a ransom payment in exchange for the decryption key and a promise that the data won’t be leaked/sold on the black market.
The group would usually target banks, schools, manufacturing organizations, and event management firms.
Lazarus hackers are using malicious cryptocurrency apps, FBI warns>FBI says North Korean Lazarus group was behind huge crypto theft>These are the best ID theft protection services today
As for payment, the group would demand anywhere between 1.2 and 5 bitcoins, which is approximately $30,000 - $100,000, at today’s prices. However, even though these demands are relatively small, compared to other ransomware operators, Holy Ghost was still willing to negotiate and reduce the price even further, sometimes getting just a third of what it initially asked for.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Even though the things like attack frequency, or choice of target, made researchers think Holy Ghost is not a state-sponsored actor, there are some connections to the government. Microsoft found the group communicating with the Lazarus Group, which is a known state-sponsored actor. What’s more, both groups were “operating from the same infrastructure set, and even using custom malware controllers with similar names.”
Via:BleepingComputer
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Windows PCs targeted by new malware hitting a vulnerable driver
Dangerous Android banking malware looks to trick victims with fake money transfers
Latest Google Pixel update includes surprise launch of Android 15’s best battery feature
