Microsoft researchers have linked an emerging ransomware threat that already has compromised a number of small-to-mid-sized businesses to financially motivated North Korean state-sponsored actors that have been active since last year.
A group tracked by researchers from Microsoft Threat Intelligence Center (MSTIC) as DEV-0530 but that calls itself H0lyGh0st has been developing and using ransomware in attacks since June 2021.
The group has successfully compromised small-to-mid-sized businesses—including manufacturing organizations, banks, schools, and event and meeting planning companies—in multiple countries starting as early as September, researchers from MTIC and Microsoft Digital Security Unit (MDSU) said in a blog post published Thursday.
H0lyGh0st’s standard modus operandi is to use a namesake ransomware to encrypt all files on the target device using the file extension .h0lyenc, then send the victim a sample of the files as proof. The group interacts with victims on a .onion site that it maintains and on which it provides a contact form for victims to get in touch, researchers said.
[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.]
The group typically demands payment in Bitcoin in exchange for restoring access to the files. On its website, H0lyGh0st claims that it won’t sell or publish victim data if they pay, researchers said. However, it uses double extortion to pressure targets to pay, threatening to publish stolen data on social media or send it to the victims’ customers if they don’t meet ransom demands.
Introducing H0lyGh0st
H0lyGh0st’s ransomware campaigns are financially motivated, with researchers observing text linked to a ransom note that they intercepted in which attackers claim they aim to “close the gap between the rich and poor,” researchers said.
“They also attempt to legitimize their actions by claiming to increase the victim’s security awareness by letting the victims know more about their security posture,” they said.
DEV-0530 also has connections with another North Korean-based group tracked as PLUTONIUM, also known as DarkSeoul or Andariel, according to MSTIC, with researchers observing communications between the two groups. H0lyGh0st also has been seen using tools created exclusively by PLUTONIUM, they said.
A Tale of Two Families
Since it began using ransomware in June 2021 and until May 2022, H0lyGh0st has employed two custom-developed malware families–SiennaPurple and SiennaBlue, researchers said. MSTIC identified four variants linked to these families: BTLC_C.exe, HolyRS.exe, HolyLock.exe, and BLTC.exe.
BTLC_C.exe is written in C++ and is classified as SiennaPurple, while the rest are written in the open-source Go programming language, researchers said. All of the variants are compiled into .exe to target Windows systems, they said.
BLTC_C.exe is a portable ransomware developed by the group that was first seen in June 2021. However, it may have been an early version of the group’s development efforts, as it doesn’t have many features compared to all malware variants in the SiennaBlue family, researchers said.
Later in the group’s evolution, between October 2021 and May 2022, MSTIC observed a cluster of new DEV-0530 ransomware variants written in Go, which they classify as SiennaBlue variants, they said.
Though new Go functions have been added to the various variants over time, all the ransomware in the SiennaBlue family share the same core Go functions, researchers observed. These features include various encryption options, string obfuscation, public key management, and support for the internet and intranet, researchers said.
Most Recent Variant
The latest ransomware variant to be used by the group is BTLC.exe, which researchers have seen in the wild since April of this year, they said.
BTLC.exe can be configured to connect to a network share using the default username, password, and intranet URL hardcoded in the malware if the ServerBaseURL is not accessible from the device, researchers said.
The malware also includes a persistence mechanism in which it creates or deletes a scheduled task called lockertask that can launch the ransomware. Once the malware is successfully launched as an administrator, it tries to connect to the default ServerBaseURL hardcoded in the malware, attempts to upload a public key to the C2 server, and encrypts all files in the victim’s drive, they said.
FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.