Holy Ghost ransomware operation linked to North Korean threat actors by Microsoft

On Thursday, 14th of July 2022, researchers at Microsoft Threat Intelligence Center (MSTIC) released a report which revealed they had been tracking the Holy Ghost ransomware gang which they have connected with North Korea. The Holy Ghost ransomware gang has been active for over a year but it has struggled to be as successful as other gangs. While Microsoft has been tracking the gang, there have been four ransomware variants that have emerged from the gang with the more recent variants being Go-based versions which were released in October 2021. The researchers stated that the gang has managed to compromise several targets, mainly small-to-midsize businesses.

“The victimology indicates that these victims are most likely targets of opportunity. MSTIC suspects that DEV-0530 might have exploited vulnerabilities such as CVE-2022-26352 (DotCMS remote code execution vulnerability) on public-facing web applications and content management systems to gain initial access into target networks” – Microsoft Threat Intelligence Center (MSTIC).

In terms of the nature of their attacks, it has been seen that the threat actors usually demand a ransom of between 1.2 to 5 bitcoins. Although, it also has been seen that the threat actors have been willing to negotiate and lower the price to less than a third of the initial demand. There is a belief that this gang might be conducting these attacks for personal financial gain instead of having a series of targets determined by the North Korean government. Although, there has been a connection made between the Holy Ghost ransomware gang and Andariel, which is a part of the Lazarus Group under North Korea’s Reconnaissance General Bureau. The connection was discovered when communications between email accounts belonging to both parties were found. Furthermore, it has been revealed that both were seen operating from the same infrastructure and using custom malware controllers with similar names.

The Holy Ghost ransomware gang has tried to keep low visibility by posing as a legitimate organisation trying to help companies improve their security posture and they state on their leak website that their actions are motivated by the desire to “close the gap between the rich and poor” and to “help the poor and starving people.”