Microsoft has raised an alert over a ransomware gang that is apparently based in North Korea and has successfully compromised small business since September 2021.
Microsoft Threat Intelligence Center (MSTIC) is tracking the group as an emerging threat under the tag DEV-0530 and says the 'H0lyGh0st' payload has affected small businesses in multiple countries over the past year. It's another double-extortion racket, so there's a threat to files being both locked up and leaked, but the group's motivations remain ambiguous.
The group's standard methodology is to encrypt all files on the target device and use the file extension .h0lyenc, send the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange for restoring access to the files Microsoft says in a blogpost.
The primary goal of DEV-0530 is financial gain, says Microsoft.
Microsoft says it's seen known DEV-0530 email accounts communicating with known Plutonium attacker accounts. The tools shared include custom malware controllers with similar names. Microsoft analyzed the group's activity time patterns to deduce it is based in North Korea. Despite shared tooling, Microsoft says the two groups are distinct from each other.
This confuses the assessment of what type of group it is. Microsoft says North Korean hackers' use of ransomware is likely motivated by its weak economy due to sanctions, natural disasters, drought, and the nation's COVID-19 lockdown. However, it adds that the narrow list of targets is inconsistent with previous state-sanctioned hacking from North Korea involving cryptocurrency theft.
"To offset the losses from these economic setbacks, the North Korean government could have sponsored cyber actors stealing from banks and cryptocurrency wallets for more than five years. If the North Korean government is ordering these ransomware attacks, then the attacks would be yet another tactic the government has enabled to offset financial losses," Microsoft notes.
However, it points out that state-sponsored activity against cryptocurrency organizations has typically targeted a much broader set of victims, and instead these attacks could be coming from hackers moonlighting for personal gain.
"This moonlighting theory might explain the often-random selection of victims targeted by DEV-0530," it notes.
Microsoft has found the attackers frequently asked victims for 1.2 to 5 bitcoins. The attackers have usually been willing to negotiate and, in some cases, lowered the price to less than a third of the initial asking price. But, based on wallet transactions, the attackers appear not to have extorted payments since early July 2022.