North Korean ransom gang undercuts competitors by charging low fees


H0lyGh0st, a new threat actor from North Korea recently identified by Microsoft, appears to be cornering its share of the ransomware ‘market’ by charging victims lower fees to return their data.

That is the assessment from cyber analyst Digital Shadows, which also said the new group would face challenges as it seeks to enter a saturated criminal industry from an isolated and economically marginalized country.

H0lyGh0st appears to be going after small-to-medium enterprises, encrypting and threatening to disseminate their vital data if they don’t pay up. In this respect, it is operating much like any other ransomware outfit – but one key difference is that its asking price is much lower than average.

“One observation from Microsoft was that H0lyGh0st charged remarkably low ransom prices for victims,” said Chris Morgan, senior analyst at Digital Shadows. “H0lyGh0st typically asks victims for a ransom of 1.2 to 5 Bitcoins and is willing to lower the price to less than one-third of that during negotiations. That is dramatically lower than the majority of other ransomware groups.”

"H0lyGh0st typically asks victims for a ransom of 1.2 to 5 Bitcoins. That is dramatically lower than the majority of ransomware groups."

Chris Morgan, senior analyst at Digital Shadows

Bitcoin is currently priced at around $20,000, although like most if not all cryptocurrencies, its value has fluctuated wildly over the past year and will most likely continue to do so. But taking this as a rough estimate, it means H0lyGh0st is rarely charging above $100,000 per victim.

According to data released this week by Palo Alto Networks, ransomware groups typically start off with a demand ranging anywhere from $1 million to thirty times that amount, depending on the target company industry, before negotiating down on the price.

“With H0lyGh0st demanding such a remarkably low ransom, it is realistically possible that victims frequently decide that paying the ransom is worth it when calculating the risk of not paying,” said Morgan. “Alternatively, H0lyGh0st may be lowering their fee to a price that is achievable for smaller companies.”

No easy money

While its so-called business model might well be working for H0lyGh0st, it is by no means guaranteed to make it a living: Morgan believes that its location in one of the world’s most isolated and impoverished states will make life difficult for the debuting threat actor.

“Operating a cybercriminal operation from communist North Korea will present H0lyGh0st with a number of unique issues,” he said. “While the specific relationship with the state is unclear, it's likely that H0lyGh0st will have to pay a significant percentage or even all of its profits to the North Korean government.”

This, he argues, puts H0lyGh0st in a very different position from the Russian threat actors thought to have received the lion’s share of ransom payments in 2021.

“While your average Russian cybercriminal is probably blowing his payments on a Lamborghini or dozens of bottles of Bollinger, realistically what can you spend your earnings on in the retail chains of Pyongyang? It certainly raises questions about the motivations of H0lyGh0st’s operators,” he said.

H0lyGh0st has itself already been quite vocal about what these are, or at least what it believes them to be, posting that its chief goal is to “close the gap between rich and poor” - not something one hears often from typically self-seeking cybercriminal gangs.

The bigger picture

Whatever the truth behind H0lyGh0st’s intentions and motivations, North Korea does appear to be a small but significant contributor to the ransomware scourge. While Chainalysis found that 77% of payments went to Russian-linked groups last year, both the FBI and Cybersecurity Infrastructure Security Agency have fingered the Asian rogue nation in the Maui ransomware attacks against the healthcare industry in May 2021.

Morgan believes that while North Korean groups such as H0lyGh0st benefit from impunity – Western law enforcement agencies have virtually no means of bringing them to justice – their lives are likely to be far more difficult than cybercriminal gangs operating in fellow ‘untouchable’ countries such as Russia or China.

"Victims' data is not posted as frequently as on the sites of other, more notorious ransomware groups."

Chris Morgan, senior analyst at Digital Shadow

“Operating infrastructure and communicating with victims from inside North Korea is also likely to be problematic,” he said, pointing out that H0lyGh0st’s data-leak site is frequently offline, possibly due to electricity or internet access problems.

“Victims’ data is not posted as frequently as on the sites of other, more notorious ransomware groups,” he added. “A poorly maintained data-leak site will likely affect H0lyGh0st’s credibility. Victims are less likely to pay a ransom if they assume attackers are incapable of exposing stolen data online.”

He added that H0lyGh0st will “likely play a continual but small role within a wider repertoire of financially motivated activity coming from North Korea.” This repertoire, he says, will probably focus on “targeting susceptible cryptocurrency and NFT platforms,” as evidenced by the March attack on crypto-gaming platform Sky Mavis that netted the culprits an estimated $620 million.