H0lyGh0st Ransomware: North Korea’s New Weapon

by

July 18, 2022

Kim Jong-Un and his North Korean cronies have created a new cyber threat development group called H0lyGh0st (or DEV-0530). Their goal is to target and infect small-to-medium-sized businesses with nasty ransomware variants (also called H0lyGh0st) for financial gain.

Here’s what you need to know:

Discovery

The team at Microsoft’s Threat Intelligence Center (MSTIC) first discovered H0lyGh0st towards the end of June 2021. Since then the ransomware group has been targeting organizations around the world and its reach has been growing.

How does H0lyGh0st work?

Just like most ransomware. Once they’ve tricked someone into installing it, or breached your system through other various means, the ransomware encrypts everything it finds with the file extension “.h0lyenc.”

After encrypting the files, the group sends the victim a message demanding payment in Bitcoin, as well as a sample of their files as proof. They also send the victim a link to their “.onion” site where the victim can arrange payment via a contact form.

H0lyGh0st uses double extortion on their victims. First by demanding a payment to decrypt the victims’ files and then again by threatening to release the files publicly if they don’t receive payment.

Variants and More

According to the MSTIC there are two versions of H0lyGh0st’s ransomware:

  • SiennaBlue (HolyRS.exe, HolyLocker.exe, and BTLC.exe)
  • SiennaPurple (BTLC_C.exe)

SiennaBlue is written in the open-source Go programing language. SiennaPurple is written in C++. The SiennaPurple variant isn’t as robust as its counterpart. SiennaBlue has a variety of features ranging from multiple encryption options, string obfuscation, public key management, and support for internet and intranet.

How to Protect Yourself

Microsoft recommends you buy all of their BRAND new MSSP products because…of course they do.  However, other next-generation antivirus products (like Blackberry Protect and Cybereason) offer similar protection.

Beyond that the basic defensive positions apply: 

  • Proper firewall policies
  • Security awareness training for end-users
  • Regular back-ups

Conclusion

That’s about all we’ve got for you right now. If there’s any new information released we’ll publish it here on the blog.  Otherwise, you can read more about H0lyGh0st here on Microsoft’s site.

Carl Keyser is the Content Manager at Integris.

Keep reading

What Are Best Practices for Managing IT Projects?

What Are Best Practices for Managing IT Projects?

What Are Best Practices for Managing IT Projects? The Quick Take Managing IT projects effectively is crucial for ensuring success and maximizing ROI. Here are the best practices to follow: Define Clear Objectives and Scope: Set specific, measurable, achievable,...

What Is The Future of Managed IT Services?

What Is The Future of Managed IT Services?

What Is the Future of Managed IT Services? The Quick Take: The future of managed IT services for small and medium-sized businesses is bright, with the market expected to grow from $1.735 trillion to $2.173 trillion by 2028. Key trends driving this growth include:...

The Regulatory Outlook for 2025 and What That Means for Banking IT

The Regulatory Outlook for 2025 and What That Means for Banking IT

With a new administration coming in, 2025 promises to be a year of change. But will it significantly impact banking regulation and your bank’s cybersecurity? No one has a crystal ball, of course, but recent global outlooks for the banking industry seem to point to two...