H0lyGh0st Ransomware Campaign: Specifically Targeting SMBs

Since September 2021, an emerging threat originating from North Korea has been targeting small to midsize businesses (SMBs) using ransomware developed by the threat group.

Small business using Square

The group calls itself H0lyGh0st, named after a particular ransomware payload. H0lyGh0st, which is being tracked by the Microsoft Threat Intelligence Center (MTIC) using the title DEV-0530—a naming convention which is typical for emerging, unknown, or developing threat actor group. H0lyGh0st has been observed primarily targeting SMBs, including industries such as manufacturing, banking, education, and event planning entities.


The MTIC research team explained, “Along with their H0lyGh0st payload, DEV-0530 maintains an .onion site that the group uses to interact with their victims. The group's standard methodology is to encrypt all files on the target device and use the file extension .h0lyenc, send the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange for restoring access to the files."

DEV-0530 is believed to have connections with another North Korean-based group known as DarkSeoul (also known as Plutonium or Andariel). Darkseoul is thought to be a a sub-group under North Korea’s Lazarus group.


H0lyGh0st has also been seen leveraging extortion methods to try to pressure victims into paying ransoms—under the threat of seeing the victim’s sensitive information posted on social media outlets.


H0lyGh0st’s stated intention is to "help the poor and starving people," supposedly donating ransom payments to charitable causes or forcing victims to make their payments directly to such organizations. As with most ransomware attacks, even if the financial reward is not openly benefiting the threat actors, the group is very likely exfiltrating any useful data it finds on SMB networks to provide to North Korean government agencies, infecting software products or interconnected networks to reach additional targets, and leaving backdoors in victim networks to create endless clandestine access, if possible. For this reason it is highly recommended that victim organizations seek assistance from expert threat hunter consulting groups to ensure the threat has truly been contained and eradicated.


Below is an example of the typical H0lyGh0st ransom notification:


please read this text to decrypt all files encrypted. Don’t worry, you can return all of your files. If you want to restore all of your files mail to H0lyGh0st@ with your ID. Or install tor browser and contact us with your id or company name(If all pcs in you company are encrypted) out site. Our service After you pay we will send unlocked with decryption key


Newer ransomware variants attributed to H0lyGh0st show improvements in the core functionality; these improvements include string obfuscation and the ability to delete scheduled tasks and/or remove the malware from infected machines. A representation of the evolution of H0lyGh0st ransomware is shown below:

DEV-0350 ransomware payloads over time BTLC_C.exe HolyRS.exe HolyLock.exe BTLC.exe Commodity tools/Malware testing

Research shows that many of the group’s successful ransomware infections enter through the unpatched vulnerabilities in Internet-facing web applications and content management systems (e.g., through CVE-2022-26352).


In order to build a successful security program to protect your organization from such threat actors as H0lyGh0st, it is highly recommended that you leverage the years of experience and in-depth technical knowledge of Webcheck Security’s consulting team. Contact us today to discuss your organization’s needs and arrange for a free discussion of how Webcheck can assist in addressing those needs.

14 views0 comments