While they linked this group to North Korean hackers, Microsoft said HolyGhost could be a side project of official state-backed hackers for financial gains. There’s seen following similar practices of regular ransomware groups, but demanding low ransom and even negotiation.
A Side Project For Financial Gains
Microsoft researchers at the MSTIC tracked a new ransomware gang called HolyGhost, which has been in the wild for over a year – but failed to gain traction as others. They internally named this as DEV-0530 and said the first payload was deployed in June last year. They named the first variant of HolyGhost as SiennaPurple (BTLC_C.exe), which has been developed over time with new features. The upgrade malware variant – noted as SiennaBlue (HolyRS.exe, HolyLocker.exe, and BTLC.exe) by Microsoft researchers, said it could do multiple encryptions, string obfuscation, public key management, and has internet/intranet support. Yet, it failed to gain popularity as other major ransomware gangs. HolyGhost follows the regular suite of an average ransomware operator – by having a data leak site, and double extortion scheme, and even being willing to negotiate the ransom. After stealing the data and encrypting the machines, HolyGhost emails the victim with a link to the sample of stolen data and a ransom note with a quoted price. Researchers said they ask for anywhere between 1.2 to 5 bitcoins, or up to about $100,000 at the current exchange rate. They linked this group to North Korean hackers, but not the government directly. Even though HolyGhost relies on the same infrastructure, communication between email accounts, and others with North Korean APTs, it’s referred to as a probable side project of mainstream hackers for financial gain. In the name of helping poor and starving people, they conduct ransomware attacks on banks, schools, manufacturing organizations, and event and meeting planning companies. Microsoft noted the IoCs and other measures to prevent HolyGhost attacks.