September 26, 2023

Holy Ghost, a tiny ransomware operator likely being managed by North Korean hackers.

Microsoft Threat Intelligence Center has been tracking the malware variant and has found multiple evidence pointing to North Koreans being behind the operation.


Although the group seems to be linked to the country’s government, it appears as if it’s not on payroll, but rather a financially motivated group that sometimes co-operates with the government.

The mode of operation is to find a flaw in the target’s systems abusing CVE-2022-26352 move laterally across the network, mapping all of the endpoints, exfiltrate sensitive data, deploy ransomware, and then demand a ransom payment in exchange for the decryption key and a promise that the data won’t be leaked/sold on the black market.

The group would usually target banks, schools, manufacturing organizations, and event management firms.


Ransom demand anywhere between 1.2 and 5 bitcoins, though these demands are small, compared to other ransomware operators, Holy Ghost was still willing to negotiate and reduce the price even further, sometimes getting just a third initially demanded.

Holy Ghost is not a state-sponsored actor, there exist a connections to the Lazarus Group, which is a known state-sponsored actor.

Leave a Reply

%d bloggers like this: