Holy Ghost, a lesser-known ransomware (opens in new tab) operator, is most likely being managed by North Korean hackers, Microsoft has said.
The company’s Threat Intelligence Center (MSTIC) has been tracking the malware (opens in new tab) variant for more than a year now, and has found multiple evidence pointing to North Koreans being behind the operation.
Although the group seems to be linked to the country’s government, it appears as if it’s not on payroll, but rather a financially motivated group that sometimes co-operates with the government.
Typical MO
MSTIC says the group has operated for quite some time now, but failed to become as big or as popular as other major players, such as BlackCat, REvil, or others.
It has the same modus operandi: find a flaw in the target’s systems (Microsoft spotted the group abusing CVE-2022-26352), move laterally across the network, mapping all of the endpoints, exfiltrate sensitive data, deploy ransomware (earlier, the group used SiennaPurple variant, later switched to an upgraded SiennaBlue version), and then demand a ransom payment in exchange for the decryption key and a promise that the data won’t be leaked/sold on the black market.
The group would usually target banks, schools, manufacturing organizations, and event management firms.
As for payment, the group would demand anywhere between 1.2 and 5 bitcoins, which is approximately $30,000 – $100,000, at today’s prices. However, even though these demands are relatively small, compared to other ransomware operators, Holy Ghost was still willing to negotiate and reduce the price even further, sometimes getting just a third of what it initially asked for.
Even though the things like attack frequency, or choice of target, made researchers think Holy Ghost is not a state-sponsored actor, there are some connections to the government. Microsoft found the group communicating with the Lazarus Group, which is a known state-sponsored actor. What’s more, both groups were “operating from the same infrastructure set, and even using custom malware controllers with similar names.”
