Korean-based H0lyGh0st Ransomware Group
Industries: Education, Financial Services, Logistics, Manufacturing | Level: Strategic| Source: Microsoft
Microsoft Threat Intelligence Center (MSTIC), provided research on H0lyGh0st (tracked as DEV-0530), active since June 2021, and has compromised various small businesses in September 2021, across multiple countries. H0lyGh0st ransomware payload encrypts files with the extension .h0lyenc. The group follows a double extortion model, providing samples of stolen files as proof to victims to pressure them into meeting ransom demands. MSTIC assessed the group as having "connections with another North Korean-based group tracked as PLUTONIUM (aka DarkSeoul or Andariel)." Email accounts associated with the two groups have been, as well as sharing infrastructure with custom malware controllers. A temporal analysis by MSTIC, identified the group to operate in a near identical time zone at +8 or +9 UTC. However, the groups are tracked distinctly due to differences in targeting and tradecraft. PLUTONIUM has predominantly targeted energy and defense industries in India, South Korea, and the United States. H0lyGh0st's victim profile has involved "small-to-midsized businesses, including manufacturing organizations, banks, schools, and event and meeting planning companies." Currently, H0lyGh0st is not identified to have utilized 0-day exploits in their campaigns. Based on the lack of transactions from the group's crypto wallet, as of July 2022, no victims have been successfully extorted for ransom payments.