Microsoft has identified a new North Korean ransomware group that likely overlaps with another group that is likely directed by the Kim regime. (Photo by Carl Court/Getty Images)Microsoft detailed new ransomware from a group calling itself H0lyGh0st that likely overlaps with the government-directed DarkSeoul.According to a blog post from the Microsoft Threat Intelligence Center, H0lyGh0st targets victims of opportunity and was seen in several small- and medium-sized enterprises in multiple countries. It has been developing malware since June of last year.While the group calls itself H0lyGh0st and HolyGhost on its onion page, and used versions of the word "Holy" across the malware and file extension names, Microsoft is tracking the group as DEV-0530. This article will use the HolyGhost name for reasons of readability and searchability.
Microsoft says that the infrastructure used in the attacks overlaps with that of DarkSeoul and that email accounts linked to HolyGhost have been seen communicating with those linked to DarkSeoul. The HolyGhost group appears to work during hours indicative of someone living in North Korea or an adjacent time zone. That leaves two possibilities, Microsoft believes: Either HolyGhost is a government-directed group raising money for a Kim regime beset by sanctions, or members of DarkSeoul are moonlighting. Neither would be out of character for adversarial government-directed hackers.In the past, the ransomware group Evil Corp was itself sanctioned for cooperating with sanctioned espionage groups — in that case Russia — criminalizing ransom payment to the group. The Microsoft blog is new; it's too early to gauge whether that will be the case here.For HolyGhost's part, the group claimed on its onion site — now down, but archived in part by Microsoft — to work with three goals in mind "[t]o close the gap between the rich and the poor," "[t]o help poor and starving people," and "[t]o increase security awareness."HolyGhost's ransomware appears to split into two families, which Microsoft has dubbed SiennaBlue and SiennaPurple. SiennaPurple was written in C++ and used between June and October 2021. The only variant of SiennaPurple was BTLC_C.exe. SiennaBlue, which has been in use since October, is written in Go. There are three varieties (HolyRS.exe, HolyLock.exe and BTLC.exe), all built around the same core set of functions.Microsoft says both SiennaPurple and SiennaBlue are detected by its WindowsDefender and advises standard ransomware prevention and preparedness to mitigate an attack.
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.
Online macOS cloud services provider VirtualMacOSX had information from 10,000 clients purportedly stolen in a breach exposed on a widely known clear web hacking forum, where troves of information allegedly pilfered from AT&T, Coca-Cola Europacific Partners, and Facebook had been peddled, Hackread reports.
Virginia-based debt collection firm Credit Control Corporation was claimed to have information from 9.1 million people across the U.S. stolen in a data breach, Cybernews reports.
