Holy Ghost, a lesser-known ransomware operator (opens in a new tab), is likely run by North Korean hackers, Microsoft said.

The company's Threat Intelligence Center (MSTIC) has been tracking the malware variant (opens in a new tab) for over a year and has found ample evidence that the North Koreans are behind the operation.

Although the group appears to be linked to the country's government, it appears that they are not salaried, but rather a financially motivated group that sometimes cooperates with the government.

typical MO

MSTIC says the group has been around for a while, but hasn't gotten as big or popular as other major players, like BlackCat, REvil, or others.

It has the same modus operandi: find a flaw in the target's systems (Microsoft caught the group abusing CVE-2022-26352), move laterally in the network, map all endpoints, leak sensitive data, deploy a ransomware (previously , the group used SiennaPurple, then upgraded to an improved version of SiennaBlue), then demands a ransom payment for the decryption key and a promise that the data will not be leaked or sold on the black market.

The group would normally target banks, schools, manufacturing organizations and event management companies.

As for payment, the group would demand between 1,2 and 5 bitcoins, or between $30.000 and $100.000, at current prices. However, even though these demands are relatively low compared to other ransomware operators, Holy Ghost was still willing to negotiate and further reduce the price, sometimes only getting a third of what they initially asked for.

Although things like the frequency of attacks or the choice of target have led researchers to believe that Holy Ghost is not a state-sponsored actor, there are government ties. Microsoft discovered that the group was communicating with the Lazarus Group, which is a well-known state-sponsored actor. Furthermore, both groups were “operating from the same set of frameworks and even using similarly named custom malware checkers.”

Via: BleepingComputer (Opens in a new tab)

Share This