Microsoft has raised an alert over a ransomware gang that is apparently based in North Korea and has successfully compromised small business since September 2021. Microsoft Threat Intelligence Center (MSTIC) is tracking the group as an emerging threat under the tag DEV-0530 and says the ‘H0lyGh0st’ payload has affected small businesses in multiple countries over the past year. It’s another double-extortion racket, so there’s a threat to files being both locked up and leaked, but the group’s motivations remain ambiguous. The group’s standard methodology is to encrypt all files on the target device and use the file extension .h0lyenc, send the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange for restoring access to the files Microsoft says in a blogpost. “As part of their extortion tactics, they also threaten to publish victim data on social media or send the data to the victims’ customers if they refuse to pay,” it warns. Microsoft says it has observed DEV-0530 communicating with the North Korean-based state sponsored group it tracks as Plutonium, which is also known as DarkSeoul or Andariel. The group has also used tools created exclusively by Plutonium.
About OODA Analyst
OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.