November 14, 2024

An emerging threat cluster originating from North Korea has been linked to developing and using ransomware in cyberattacks targeting small businesses since September 2021.

The group, which calls itself H0lyGh0st after the ransomware payload of the same name, is being tracked by the Microsoft Threat Intelligence Center under the moniker DEV-0530, a designation assigned for unknown, emerging, or a developing group of threat activity.

Targeted entities primarily include small-to-midsize businesses such as manufacturing organizations, banks, schools, and event and meeting planning companies.

“Along with their H0lyGh0st payload, DEV-0530 maintains an .onion site that the group uses to interact with their victims,” the researchers said in a Thursday analysis.

“The group’s standard methodology is to encrypt all files on the target device and use the file extension .h0lyenc, send the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange for restoring access to the files.”

Ransom amounts demanded by DEV-0530 range anywhere between 1.2 and 5 bitcoins, although an analysis of the attacker’s cryptocurrency wallet shows no successful ransom payments from its victims as of early July 2022.

DEV-0530 is believed to have connections with another North Korean-based group known as Plutonium (aka DarkSeoul or Andariel), a sub-group operating under the Lazarus umbrella (aka Zinc or Hidden Cobra).

The illicit scheme adopted by the threat actor is also known to take a leaf from the ransomware landscape, leveraging extortion tactics to apply pressure on victims into paying up or risk getting their information published on social media.

DEV-0530’s dark web portal claims it aims to “close the gap between the rich and poor” and “help the poor and starving people,” in a tactic that mirrors another ransomware family called GoodWill that compels victims into donating to social causes and providing financial assistance to people in need.

The technical breadcrumbs that tie the group to Andariel stem from overlaps in the infrastructure set as well as based on communications between email accounts controlled by the two attacker collectives, with DEV-0530 activity consistently observed during Korea Standard Time (UTC+09:00).

“Despite these similarities, differences in operational tempo, targeting, and tradecraft suggest DEV-0530 and Plutonium are distinct groups,” the researchers pointed out.

In a sign that suggests active development, four different variants of the H0lyGh0st ransomware were churned out between June 2021 and May 2022 to target Windows systems: BTLC_C.exe, HolyRS.exe, HolyLock.exe, and BLTC.exe.

While BTLC_C.exe (dubbed SiennaPurple) is written in C++, the other three versions (codenamed SiennaBlue) are programmed in Go, suggesting an attempt on the part of the adversary to develop cross-platform malware.

The newer strains also come with improvements to their core functionality, including string obfuscation and abilities to delete scheduled tasks and remove themselves from the infected machines.

The intrusions are said to have been facilitated through the exploitation of unpatched vulnerabilities in public-facing web applications and content management systems (e.g., CVE-2022-26352), leveraging the purchase to drop the ransomware payloads and exfiltrate sensitive data prior to encrypting the files.

The findings come a week after the U.S. cybersecurity, and intelligence agencies warned about the use of Maui ransomware by North Korean government-backed hackers to target the healthcare sector since at least May 2021.

The expansion from financial heists to ransomware is being viewed as yet another tactic sponsored by the North Korean government to offset losses from sanctions, natural disasters, and other economic setbacks.

But given the narrow set of victims than is typically associated with state-sponsored activity against cryptocurrency organizations, Microsoft theorized the attacks could be a side-hustle for the threat actors involved.

“It is equally possible that the North Korean government is not enabling or supporting these ransomware attacks,” the researchers said. “Individuals with ties to Plutonium infrastructure and tools could be moonlighting for personal gain. This moonlighting theory might explain the often-random selection of victims targeted by DEV-0530.”

The ransomware threat evolves in a post-Conti world

The development also comes as the ransomware landscape is evolving with existing and new ransomware groups, namely LockBit, Hive, Lilith, RedAlert (aka N13V), and 0mega, even as the Conti gang formally shuttered its operations in response to a massive leak of its internal chats.

Adding fuel to the fire, LockBit’s improved successor also comes with a brand new data leak site that allows any actor to purchase data stolen from victims, not to mention incorporating a search feature that makes it easier to surface sensitive information.

Other ransomware families have also added similar capabilities in an attempt to create searchable databases of information stolen during attacks. Notable among this list are PYSA, BlackCat (aka ALPHV), and the Conti offshoot known as Karakurt, according to a report from Bleeping Computer.

Based on statistics gathered by Digital Shadows, 705 organizations were named in ransomware data leak websites in the second quarter of 2022, marking a 21.1% increase from Q1 2022. The top ransomware families during the period included LockBit, Conti, BlackCat, Black Basta, and Vice Society.