H0lyGh0st ransomware actors target small and midsize businesses

By / / Cybersecurity Attacks, Malware, Ransomware / Andariel, BLTC.exe, BTLC_C.exe, C2, Cybersecurity Threat Center, DarkSeoul, DEV-0530, H0lyGh0st, HolyGhost, HolyLock.exe, HolyRS.exe, Microsoft, MSTIC, North Korea, Plutonium, Ransomware, SiennaBlue, SiennaPurple, Small Business, SMB

Security researchers from Microsoft warn threat actors from North Korea are using H0lyGh0st ransomware to target small and midsize businesses around the globe.

According to the Microsoft Threat Intelligence Center (MSTIC), the bad actors (tracked as DEV-0530) have been compromising small and midsize businesses (SMBs) with H0lyGh0st ransomware in multiple countries since early September 2021.

MSTIC also linked the actors to another North Korean-based cyber gang dubbed Plutonium (also known as DarkSeoul or Andariel). Active since 2014, Plutonium has been known to mostly target entities in the energy and defense industries in India, South Korea, and the United States.

“The group’s standard methodology is to encrypt all files on the target device and use the file extension .h0lyenc, send the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange for restoring access to the files,” Microsoft explained in the blog post.

Moreover, the actors threaten to publish stolen data from their victims on social media or send the data to the victims’ customers if they refuse to pay.

Ransomware samples

For nearly a year between June 2021 and May 2022, MSTIC classified the H0lyGh0st ransomware developed by DEV-0530 under two new malware families: SiennaPurple and SiennaBlue. 

Furthermore, the Microsoft team also identified four additional variants (BTLC_C.exe, HolyRS.exe, HolyLock.exe, and BLTC.exe) under the malware families. The variants were split out by their code base (e.g., C++ or Go), command and control (C2) infrastructure/URL patterns, and ransom note messages.

Recommended ransomware protections

Microsoft published many good safeguards for SMBs and users, such as implementing anti-malware protections on all endpoints, ensuring a backup and restore plan, and reviewing their blog on the ransomware-as-a-service economy.

The guide has some solid recommendations to help protect against ransomware threats, such as auditing credentials, using hardening benchmarks for cloud implementations, and enforcing multi-factor authentication (MFA), just to name a few.

Readers can also check out related articles below for other recent ransomware threats.

Related Articles