June 7, 2023

Holy Ghost, a tiny ransomware operator likely being managed by North Korean hackers.

Microsoft Threat Intelligence Center has been tracking the malware variant and has found multiple evidence pointing to North Koreans being behind the operation.

Advertisements

Although the group seems to be linked to the country’s government, it appears as if it’s not on payroll, but rather a financially motivated group that sometimes co-operates with the government.

The mode of operation is to find a flaw in the target’s systems abusing CVE-2022-26352 move laterally across the network, mapping all of the endpoints, exfiltrate sensitive data, deploy ransomware, and then demand a ransom payment in exchange for the decryption key and a promise that the data won’t be leaked/sold on the black market.

The group would usually target banks, schools, manufacturing organizations, and event management firms.

Advertisements

Ransom demand anywhere between 1.2 and 5 bitcoins, though these demands are small, compared to other ransomware operators, Holy Ghost was still willing to negotiate and reduce the price even further, sometimes getting just a third initially demanded.

Holy Ghost is not a state-sponsored actor, there exist a connections to the Lazarus Group, which is a known state-sponsored actor.

Tags:

Leave a Reply

You may have missed

Microsoft to comply with LinkedIn GDPR Violation

Microsoft to comply with LinkedIn GDPR Violation

June 7, 2023
Google Fixes Third Chrome Zeroday

Google Fixes Third Chrome Zeroday

June 6, 2023
Moveit Attributed to Lace Tempest

Moveit Attributed to Lace Tempest

June 6, 2023
Byte Code Bites PYPI

Byte Code Bites PYPI

June 5, 2023
Enzo Biochem Suffers a Data Breach

Enzo Biochem Suffers a Data Breach

June 5, 2023
BlackSuit Ransomware Dissection

BlackSuit Ransomware Dissection

June 4, 2023
%d bloggers like this: