Microsoft has raised an alert over a ransomware gang that is apparently based in North Korea and has successfully compromised small business since September 2021.
Microsoft Threat Intelligence Center (MSTIC) is tracking the group as an emerging threat under the tag DEV-0530 and says the ‘H0lyGh0st’ payload has affected small businesses in multiple countries over the past year. It’s another double-extortion racket, so there’s a threat to files being both locked up and leaked, but the group’s motivations remain ambiguous.
The group’s standard methodology is to encrypt all files on the target device and use the file extension .h0lyenc, send the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange for restoring access to the files Microsoft says in a blogpost.
“As part of their extortion tactics, they also threaten to publish victim data on social media or send the data to the victims’ customers if they refuse to pay,” it warns.
Microsoft says it has observed DEV-0530 communicating with the North Korean-based state sponsored group it tracks as Plutonium, which is also known as DarkSeoul or Andariel. The group has also used tools created exclusively by Plutonium. Researchers at Symantec in 2019 blamed a series of hacks against South Korea on the DarkSeoul gang. DarkSeoul has operated since around 2013 and deployed destructive malware on targets.
The primary goal of DEV-0530 is financial gain, says Microsoft.
Microsoft says it’s seen known DEV-0530 email accounts communicating with known Plutonium attacker accounts. The tools shared include custom malware controllers with similar names. Microsoft analyzed the group’s activity time patterns to deduce it is based in North Korea. Despite shared tooling, Microsoft says the two groups are distinct from each other.
This confuses the assessment of what type of group it is. Microsoft says North Korean hackers’ use ransomware is likely motivated by its weak economy due to sanctions, natural disasters, drought, and the nation’s COVID-19 lockdown. However, it adds that the narrow list of targets is inconsistent with previous state-sanctioned hacking from North Korea involving cryptocurrency theft.
North Korean hacking groups connected to Lazarus last year stole nearly $400 million worth of cryptocurrency. The US government has also warned US and European organizations to avoid inadvertently hiring North Korean tech contractors. In 2019, the United Nations estimated the nation’s hackers had gained $2 billion from attacks on banks and cryptocurrency exchanges to fund weapons purchases.
“To offset the losses from these economic setbacks, the North Korean government could have sponsored cyber actors stealing from banks and cryptocurrency wallets for more than five years. If the North Korean government is ordering these ransomware attacks, then the attacks would be yet another tactic the government has enabled to offset financial losses,” Microsoft notes.
However, it points out that state-sponsored activity against cryptocurrency organizations has typically targeted a much broader set of victims, and instead these attacks could be coming from hackers moonlighting for personal gain.
“This moonlighting theory might explain the often-random selection of victims targeted by DEV-0530,” it notes.
Microsoft has found the attackers frequently asked victims for 1.2 to 5 Bitcoins. The attackers have usually been willing to negotiate and, in some cases, lowered the price to less than a third of the initial asking price. But, based on wallet transactions, the attackers appear not have extorted payments since early July 2022.