The Holy Ghost ransomware campaign operated by North Korea has been active for more than a year. This ransomware operation has been a menace to small businesses in different countries.
Cybersecurity researchers from MSTIC constantly monitor the Holy Ghost ransomware group, which they call DEV-0530. Based on the latest report from an analyst, the initial payload from the North Korean group was discovered in June last year.
The first appearance of the Holy Ghost ransomware variant, SiennaPurple, did not include many tools compared to other Go language-based versions that emerged in October last year. However, the most recent variant of the Holy Ghost is tracked by researchers as SiennaBlue.
SiennaBlue included HolyLocker[.]exe, HolyRS[.]exe, and BTLC[.]exe payloads.
Both the variants were developed by the North Korean threat group and used by DEV-0530 in several campaigns. However, the features of these different variants did expand as time progressed to attach numerous encryption options.
Additionally, the variant included several functions to its attacks to make it more efficient such as internet/intranet support, string obfuscation, and public key management.
Small-scale entities were the primary focus of the Holy Ghost ransomware group.
The Holy Ghost campaign has targeted multiple sectors, such as academic institutions, banking organisations, manufacturing firms, and event planning committees. However, they only target small-scale or mid-tier organisations, for which they ask for a maximum of 5BTC per victim.
Researchers believed that the infrequent rate of Holy Ghost’s attacks and the unpredictability of selecting its targets supports the theory that it is a ransomware operation from North Korea.
Furthermore, MSTIC disclosed the email communication between the Holy Ghost and an entity that is part of the Lazarus group working under the guidance of North Korea’s reconnaissance team.
In addition, it has been observed that both malicious groups were executing from an identical infrastructure set. They also used custom malware controllers with similar names, which strongly proves the connection between the two North Korean entities.
North Korea’s Holy Ghost has remained active for more than a year and does not show signs of slowing down soon. This detail implies that the threat operators are making constant efforts to make their operation more elusive. For entities to stay protected, experts suggest that firms practice a collaborative action, such as sharing the indicators of compromise while studying the malware.
