Digital Shadows reports on the recently identified H0lyGh0st ransomware outfit, a fresh threat actor operating out of North Korea that faces some clear challenges, but is nevertheless still a live threat
- Alex Scroxton,Security Editor
Published: 28 Jul 2022 13: 00
Because the US authorities raise the available reward for info on North Korean threat actors by $5m, threat researchers at Digital Shadows have already been probing a fresh North Korean ransomware gang, dubbed H0lyGh0st, the existence which was reported earlier this month by Microsoft.
The gang, which appears to specialise in targeting small and medium-sized enterprises (SMEs), includes a modus operandi that’s not all that not the same as other ransomware gangs it favours double extortion tactics and operates a data leak website, among other activities but has some notable quirks that set it aside from its peers, in accordance with Digital Shadows senior cyber threat intelligence analyst Chris Morgan.
While modern ransomware gangs are chiefly connected with Russia 74% of ransom payments visited Russia-based groups in 2021, in accordance with Chainalysis North Korean groups such as for example Lazarus (with which H0lyGh0st could be linked through the DarkSeoul APT) did much to originate the genre through high-profile incidents such as for example WannaCry. Along with other North Korean ransomwares aren’t unusual.
However, Morgan explained, North Korean ransomware operations face some unique challenges which are less troubling to Russian groups.
Operating a cyber criminal operation from communist North Korea will show H0lyGh0st with several unique issues, he said. As the specific relationship with hawaii is unclear, its likely that H0lyGh0st will need to pay a substantial percentage as well as most of its profits to the North Korean government.
While your average Russian cyber criminal is most likely blowing his payments on a Lamborghini or a large number of bottles of Bollinger, realistically so what can you spend your profits on in the retail chains of Pyongyang? It really raises questions concerning the motivations of H0lyGh0sts operators.
Chris Morgan, Digital Shadows
Further challenges promote themselves when it comes to operating infrastructure and communicating with victims from in the pariah state. The parlous state of North Koreas internet services and its own electrical grid imply that H0lyGh0sts leak site is generally knocked offline, also it will not post its victims data as much as others do. Morgan believes this might impact its credibility and its own capability to ransom victims who assume they’re coping with an attacker that doesnt have the methods to operate like Conti or REvil.
H0lyGh0st can be likely to think it is harder than others to recognize developing techniques and attract new talent to its crew, said Morgan. Higher-profile operations maintain their success by way of a procedure for continuous improvement, evolving their techniques and burnishing their reputation. H0lyGh0sts capability to do this is probable severely hindered.
However, said Morgan, you can find distinct benefits to operating out of North Korea. One observation from Microsoft was H0lyGh0st charged remarkably low ransom charges for victims. H0lyGh0st typically asks victims for a ransom of just one 1.2 to 5 bitcoins and is ready to lower the purchase price to significantly less than one-third of this during negotiations.
To place that in context, as the price has fluctuated dramatically within the last year, one bitcoin happens to be coming in at around $20,000-24,000. That’s dramatically less than nearly all other ransomware groups.
Indeed, he said, this might actually make victims more prone to pay through to first contact, and potentially eliminates the necessity for protracted negotiations with victims, saving everyone money and time, but not in a great way.
H0lyGh0st also advantages from a certain amount of protection from international police. Because of North Koreas isolation from the international community, western authorities only options are issuing indictments or seeking money laundering crypto platforms. They will have little if any capability to conduct operations, seize infrastructure or make arrests as much happened in Russia and Ukraine before the war.
Morgan said H0lyGh0st may likely play a continual, albeit limited, role in a wider repertoire of financially motivated cyber criminal activity like the targeting of vulnerable crypto and non-fungible token (NFT) platforms appearing out of North Korea.