North Korean Hackers Behind HolyGhost Ransomware Attacks on SMBs

A ransomware family called HolyGhost that is being used in attacks on SMBs has been linked to a suspected North Korean state-sponsored hacking group by researchers at Microsoft. The ransomware was first detected in September 2021 and has been predominantly used to attack small and mid-sized businesses, including schools, banks, manufacturers, and event and meeting planning companies.

Microsoft has tracked the attacks to a threat group dubbed DEV-0530 which has been operational since at least June 2021. DEV-0530 appears to be focused on using ransomware to attack SMBs for financial gain. Like many other ransomware operations, DEV-0530 exfiltrates data prior to file encryption and threatens to publish the stolen data on social media networks if the ransom is not paid. The group has also been known to threaten to contact the customers of victims to alert them to the theft of data if payment is not made.

After exfiltrating data, files are encrypted and have the .h0lyenc extension added. A sample of the stolen data is provided to victims as proof of the attack and data theft. The group maintains an .onion site for negotiating with victims and accepting ransom payments, which must be made in Bitcoin. Ransom demands have generally been in the range of 0.2 to 5 BTC.

According to Microsoft, DEV-0530 is associated with the better-known North Korean state-sponsored threat group, Plutonium, and has used similar tools in its activities. DEV-0530 is known to use two malware families – SiennaPurple and SiennaBlue – of which 4 separate malware variants have so far been identified, which are used to encrypt files on victims’ systems. They have collectively been dubbed HolyGhost ransomware. These malware variants are able to maintain persistence through a scheduled task – lockertask – which is used to launch the ransomware. According to Microsoft, “Once the ransomware is successfully launched as an administrator, it tries to connect to the default ServerBaseURL hardcoded in the malware, attempts to upload a public key to the C2 server, and encrypts all files in the victim’s drive.”

It is unclear how access to victims’ networks is being gained, but Microsoft suggests attacks may be conducted by exploiting vulnerabilities in public-facing web applications and content management systems, such as the CVE-2022-26352 (DotCMS) remote code execution vulnerability.

Microsoft says DEV-0530 could be conducting ransomware attacks on behalf of the North Korean government to raise funds to offset losses due to sanctions, natural disasters, and the weakening of the North Korean economy; however, the range of organizations targeted by DEV-0530 is less broad than attacks conducted by other North Korean state-sponsored hacking groups.  Microsoft suggests that the much narrower targets could indicate that individuals with links to Plutonium architecture could be moonlighting for financial gain.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of