Holy Ghost, a lesser known ransomware (opens in new tab) operator, is most likely run by North Korean hackers, Microsoft said.
The company’s Threat Intelligence Center (MSTIC) has tracked the malware (opens in new tab) variant for over a year, and has found multiple evidence to indicate that North Koreans are behind the operation.
While the group appears to have ties to the country’s government, it appears that they are not on the payroll, but rather a financially motivated group that sometimes collaborates with the government.
MSTIC says the group has been around for quite some time, but has not become as big or popular as other major players, such as BlackCat, REvil, and others.
It has the same modus operandi: find a flaw in the target’s systems (Microsoft saw the group exploiting CVE-2022-26352), move sideways across the network, map all endpoints, exfiltrate sensitive data, deploy ransomware (previously , the group used the SiennaPurple variant, later switched to an improved SiennaBlue version), then demanded a ransom in exchange for the decryption key and a promise that the data will not be leaked/sold on the black market.
The group would typically target banks, schools, production organizations and event management companies.
In terms of payment, the group would demand anywhere from 1.2 to 5 bitcoins, which is roughly $30,000 – $100,000, at current prices. While these demands are relatively small compared to other ransomware operators, Holy Ghost was still willing to negotiate and lower the price even further, sometimes as little as a third of what it initially asked.
Even though things like attack frequency or choice of target made the researchers think that the Holy Spirit is not a state-sponsored actor, there are some connections to the government. Microsoft discovered that the group was communicating with the Lazarus Group, a well-known state-sponsored actor. In addition, both groups “worked from the same infrastructure set and even used custom malware controllers with similar names.”
Via: BleepingComputer (opens in new tab)