H0lyGh0st gang poses as Robin Hood from North Korea

A ransomware gang from North Korea deploys ransomware to "close the gap between the rich and poor."

The gang, which calls itself H0lyGh0st, utilizes a ransomware payload with the same name for its campaigns. According to the Microsoft Threat Intelligence Center (MSTIC), which tracks this threat actor as DEV-0530, the gang has successfully compromised small businesses in multiple countries as early as September 2021.

The group uses an .onion site to interact with its victims. H0lyGh0st encrypts all files on the victims' machine, sends its targets a data sample as proof, and demands a ransom in Bitcoin in exchange for decrypting the files. To pressure its victims, H0lyGh0st threatens to publish data on social media or send it to the victims' customers.

H0lyGh0st is a financially motivated actor. However, it attempts to legitimize its actions by claiming to increase the victims' security awareness and stealing for good.

"In MSTIC's investigations of their early campaigns, analysts observed that the group's ransom note included a link to the .onion site [...], where the attackers claim to "close the gap between the rich and poor," MSTIC wrote.

HolyGhost gang

Microsoft also assessed that this threat actor might be linked to Plutonio, a North Korean threat actor group affiliated with clusters of activity known as DarkSeoul and Andariel.

It is possible that the North Korean government sponsors or even orders ransomware attacks to offset the losses from the economic setbacks. However, Microsoft noted that it is equally likely that the North Korean government is not enabling or supporting these ransomware attacks.

"Individuals with ties to Plutonium infrastructure and tools could be moonlighting for personal gain. This moonlighting theory might explain the often-random selection of victims targeted by DEV-0530," the company said.

More from Cybernews:

Good Samaritans? This ransom gang forces victims to take poor kids to KFC

World’s largest NFT marketplace cuts 20% of its staff

Cloudflare named the botnet behind record-breaking DDoS attack

Russia cyber-partisans lure Ukraine victims with fake war stats

Experts call blockchain “technological fraud”

Imposter immigration officers threaten to have you deported

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked