Chris Swagler | July 21st, 2022

North Korean threat operators have been running HolyGhost, a ransomware operation, for more than a year targeting small businesses in numerous countries. Even though the operation followed the same technique, double extortion mixed with a leak site to expose the victims’ names and stolen data, the ransomware group, which has been active for a while, failed to gain the notoriety and financial success of other similar groups.

According to researchers from the Microsoft Threat Intelligence Center (MSTIC), the Holy Ghost ransomware group is being tracked as DEV-0530 and the threat actor’s initial payload was observed in June 2021. The early SiennaPurple (BTLC_C.exe)-classified Holy Ghost ransomware strain has fewer features than the later Go-based versions that appeared in October 2021. The newer variants, HolyRS.exe, HolyLocker.exe, and BTLC.exe, are being tracked by Microsoft as SiennaBlue, and their functionality has grown over time to include numerous encryption methods, string obfuscation, public key management, and internet/intranet support. Researchers explain that DEV-0530 was successful in breaching numerous targets, primarily small-to-midsize companies, banks, schools, manufacturers, and event and meeting planning companies were among the victims.

MSTIC believes DEV-0530 may have used public-facing applications and content management systems with vulnerabilities like CVE-2022-26352 (DotCMS remote code execution vulnerability) to obtain initial access to target networks. In a normal ransomware attack, Holy Ghost threat actors steal data from infected systems before encryption. The threat operators placed ransom notes on compromised machines informing the victims through email and a link to a sample of the stolen data that are willing to negotiate a ransom in exchange for decryption keys. The threat actors are demanding a payout between 1.2 to 5 bitcoins, or about $100,000 at the current exchange rate. Even though the demands are relatively small, according to MSTIC, the threat operators are willing to negotiate and occasionally dropped the amount to less than a third of the initial demand.

The facts, along with the rarity of the attacks and the random selection of victims, support the idea that the Holy Ghost ransomware operation may not be under the North Korean government’s control. It’s possible the threat operators working for the Pyongyang regime are doing this for their own financial gain. However, MSTIC discovered communication between email accounts belonging to Holy Ghost and the Andariel, a threat actor who’s part of the Lazarus group under North Korea’s Reconnaissance General Bureau. This indicates a connection with state-backed threat operator groups. The researchers claim that both groups are working from the same infrastructure set and utilizing custom malware controllers with names which strengthens the connection between the two groups.

Holy Ghost’s website is unavailable; however, the threat operators took advantage of the limited visibility it had to pretend to be a legitime organization looking to assist victims in improving their security posture. Additionally, the group claims that their actions are motivated by an effort to close the gap between the rich and poor and help the poor and starving people. Holy Ghost, like other ransomware threat actors, is promising victims they will not sell or leak the stolen data if they get paid. In addition to several indicators of compromise discovered while investigating the malware, Microsoft’s report contains a list of recommended actions in preventing infections with Holy Ghost payloads.

With more ransomware groups targeting small and midsize companies, it’s very crucial for them to always remain alert to the latest threat landscape and regularly back up their sensitive network data. At SpearTip, our certified engineers help companies get back up and running in record time following a serious breach and handle their cyber incident response. Our engineers work continuously at our 24/7/365 Security Operation Centers monitoring companies’ networks for potential ransomware threats like Holy Ghost and ready to respond to events at a moment’s notice. Our ShadowSpear Platform, a cutting-edge endpoint detection and response tool, delivers a cloud-based solution collecting endpoint logs and detecting sophisticated unknown and advanced threats with comprehensive insights.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.