H0lyGh0st Detection: New Ransomware Tied to North Korean APT

New day, the headache for cyber defenders! Microsoft Threat Intelligence Center (MSTIC)  reports a new ransomware strain attacking small to middle-sized businesses across the globe since June 2021. Dubbed H0lyGh0st, the malware has been initially developed by an emerging North Korean APT tracked under the DEV-0530 moniker. The ransomware attacks are explicitly financially motivated, targeting such sectors as manufacturing, education, financial services, and tech.

Analysis of DEV-0530 activity reveals the ties to another North Korea-backed threat actor known as Plutonium (aka Andariel), an active unit of the Lazarus umbrella. Security experts observe active communication between the clusters as well as shared malicious tools to proceed with the attacks.

Detect H0lyGh0st

To identify behaviors associated with H0lyGh0st ransomware, utilize the following threat detection content released by seasoned Threat Bounty contributors Aytek Aytemur and Muhammed Hamdi Akin:

Detection of H0lyGh0st Ransomware Activity

The rule kit is aligned with the MITRE ATT&CK® framework v.10 and has translations for 26 SIEM, EDR & XDR platforms.

Risking sounding like a broken record, we want to stress the paramount importance of timely threat prevention & detection. Sign up for free at SOC Prime’s Detection as Code platform to access the most relevant detection content on the ransomware threat by clicking the Detect & Hunt button below. To effortlessly search for related threats and instantly delve into contextual metadata, like CTI and MITRE ATT&CK references, click the Explore Threat Context button and drill down to relevant search results using SOC Prime’s search engine for Threat Detection, Threat Hunting, and CTI.

Detect & Hunt Explore Threat Context

H0lyGh0st Description

According to the in-depth inquiry by MSTIC, H0lyGh0st ransomware is a relatively new strain developed by the emerging DEV-0530 APT sponsored by the North Korean government. Threat actors leverage the malware for financially-motivated attacks to siphon funds into their country, choosing random small and middle-sized companies across the globe. 

All the attacks observed since September 2021 follow the same pattern. Threat actors rely on unpatched vulnerabilities in customer-facing web applications and CMSs (like CVE-2022-26352) to drop the H0lyGh0st ransomware. Then, H0lyGh0st is used to encrypt all files on the targeted instance utilizing the .h0lyenc extension. Further, a sample of files to prove the attack is sent to the victim along with the ransom note. Threat actors typically demand payments in Bitcoin ranging between 1.2 and 5 BTC. Communication with the victim is arranged via a dedicated .onion website, which also showcases threats to sell or publish sensitive data to put double extortion pressure on victims. Still, lately, the attacks were not reaching the goal since the analysis of the actor’s cryptocurrency wallet shows no successful payments since early July 2022.

The H0lyGh0st ransomware analysis reveals that in the 2021-2022 timeframe, attackers released four samples of the malware to target Windows systems (TLC_C.exe, HolyRS.exe, HolyLock.exe, and BLTC.exe). While BTLC_C.exe (dubbed SiennaPurple) is programmed in C++, the rest of the versions (tracked as SiennaBlue) are crafted in Go, pointing to the attempts of cross-platform ransomware development. The latest versions came with significant enhancements to their key features, including strain obfuscation and abilities to delete scheduled tasks. Despite the H0lyGh0st hackers’ latest lack of luck in the financial gain domain, security researchers warn of their dark web activities.

In June, we introduced some significant improvements to SOC Prime’s Threat Bounty Program. Learn more about the cyber world’s most prolific detection content developers’ program and secure your place among industry leaders with SOC Prime.