Holy Ghost, a lesser-known ransomware (opens in new tab) operator, is most probably being managed by North Korean hackers, Microsoft has mentioned.
The corporate’s Risk Intelligence Heart (MSTIC) has been monitoring the malware (opens in new tab) variant for greater than a yr now, and has discovered a number of proof pointing to North Koreans being behind the operation.
Though the group appears to be linked to the nation’s authorities, it seems as if it’s not on payroll, however somewhat a financially motivated group that generally co-operates with the federal government.
MSTIC says the group has operated for fairly a while now, however didn’t turn out to be as huge or as well-liked as different main gamers, resembling BlackCat, REvil, or others.
It has the identical modus operandi: discover a flaw within the goal’s methods (Microsoft noticed the group abusing CVE-2022-26352), transfer laterally throughout the community, mapping all the endpoints, exfiltrate delicate information, deploy ransomware (earlier, the group used SiennaPurple variant, later switched to an upgraded SiennaBlue model), after which demand a ransom cost in change for the decryption key and a promise that the information gained’t be leaked/offered on the black market.
The group would often goal banks, faculties, manufacturing organizations, and occasion administration corporations.
As for cost, the group would demand wherever between 1.2 and 5 bitcoins, which is roughly $30,000 – $100,000, at as we speak’s costs. Nevertheless, regardless that these calls for are comparatively small, in comparison with different ransomware operators, Holy Ghost was nonetheless prepared to barter and cut back the worth even additional, generally getting only a third of what it initially requested for.
Regardless that the issues like assault frequency, or selection of goal, made researchers assume Holy Ghost will not be a state-sponsored actor, there are some connections to the federal government. Microsoft discovered the group speaking with the Lazarus Group, which is a identified state-sponsored actor. What’s extra, each teams have been “working from the identical infrastructure set, and even utilizing customized malware controllers with comparable names.”
By way of: BleepingComputer (opens in new tab)