Pyongyang statue

North Korean hackers target small businesses with H0lyGh0st ransomware, Microsoft warns

A North Korea-linked threat group has been developing ransomware and compromising small businesses in several countries since September 2021, according to a new report.

Researchers from Microsoft’s Threat Intelligence Center (MSTIC) on Thursday said the group, tracked as DEV-0530 (signifying a developing threat), is believed to be financially motivated and is considered a nation-state actor. In recent years, North Korea — which has struggled economically due to U.S. sanctions and the COVID-19 pandemic — has turned to cyberattacks as a way to siphon hundreds of millions of dollars from foreign businesses.

DEV-0530, which calls itself and the ransomware it uses H0lyGh0st, is likely connected to a group tracked by Microsoft as Plutonium (also known as DarkSeoul or Andariel). Both groups have been observed operating from the same infrastructure, using custom malware controllers with similar names, and emailing accounts belonging to each other. However, Microsoft said DEV-0530 is a separate unit.

“Despite these similarities, differences in operational tempo, targeting, and tradecraft suggest DEV-0530 and PLUTONIUM are distinct groups,” the researchers said.

2022-07-Screen-Shot-2022-07-15-at-10.07.26-AM-1024x797.png

A screenshot from the group's website. Image: Microsoft

Unlike Plutonium, which has mainly targeted energy and defense industries in India, South Korea, and the U.S. since 2014, DEV-0530 appears to favor smaller targets.

“A review of the victims showed they were primarily small-to-midsized businesses, including manufacturing organizations, banks, schools, and event and meeting planning companies,” MSTIC researchers said. “The victimology indicates that these victims are most likely targets of opportunity.”

The group asks victims for up to 5 Bitcoins (about $105,000 currently, but potentially three times greater when Bitcoin peaked last year) in exchange for a decryption key, but appears to have not had any success yet in extorting companies.

“Based on our investigation, the attackers frequently asked victims for anywhere from 1.2 to 5 Bitcoins. However, the attackers were usually willing to negotiate and, in some cases, lowered the price to less than one-third of the initial asking price,” according to the report. “As of early July 2022, a review of the attackers’ wallet transactions shows that they have not successfully extorted ransom payments from their victims.”

North Korean hackers have been tied to some of the largest digital heists over the last year. The country’s Lazarus Group stole $620 million in cryptocurrency from the video game Axie Infinity in March, according to U.S. officials. In 2021, seven attacks on cryptocurrency platforms netted DPRK hackers nearly $400 million, according to blockchain analysis firm Chainalysis. Government officials and cybersecurity experts say the attacks have helped prop up the country’s weak economy and fund its weapons programs.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Adam Janofsky

Adam Janofsky

is the founding editor-in-chief of The Record from Recorded Future News. He previously was the cybersecurity and privacy reporter for Protocol, and prior to that covered cybersecurity, AI, and other emerging technology for The Wall Street Journal.