H0lyGh0st gang poses as Robin Hood from North Korea

Updated on: 19 July 2022

Jurgita Lapienytė
Chief Editor

A ransomware gang from North Korea deploys ransomware to "close the gap between the rich and poor."

The gang, which calls itself H0lyGh0st, utilizes a ransomware payload with the same name for its campaigns. According to the Microsoft Threat Intelligence Center (MSTIC), which tracks this threat actor as DEV-0530, the gang has successfully compromised small businesses in multiple countries as early as September 2021.

The group uses an .onion site to interact with its victims. H0lyGh0st encrypts all files on the victims' machine, sends its targets a data sample as proof, and demands a ransom in Bitcoin in exchange for decrypting the files. To pressure its victims, H0lyGh0st threatens to publish data on social media or send it to the victims' customers.

H0lyGh0st is a financially motivated actor. However, it attempts to legitimize its actions by claiming to increase the victims' security awareness and stealing for good.

"In MSTIC's investigations of their early campaigns, analysts observed that the group's ransom note included a link to the .onion site [...], where the attackers claim to "close the gap between the rich and poor," MSTIC wrote.

Microsoft also assessed that this threat actor might be linked to Plutonio, a North Korean threat actor group affiliated with clusters of activity known as DarkSeoul and Andariel.

It is possible that the North Korean government sponsors or even orders ransomware attacks to offset the losses from the economic setbacks. However, Microsoft noted that it is equally likely that the North Korean government is not enabling or supporting these ransomware attacks.

"Individuals with ties to Plutonium infrastructure and tools could be moonlighting for personal gain. This moonlighting theory might explain the often-random selection of victims targeted by DEV-0530," the company said.