Microsoft has linked a threat that emerged in June 2021 & targets small-to-mid-sized businesses to state-sponsored players tracked as DEV-0530.
Microsoft researchers have linked a new ransomware threat that already has compromised a number of small-to-mid-sized businesses to financially motivated N. Korean state-sponsored players that have been active since 2021.
DEV-0530
A group tracked by researchers from Microsoft Threat Intelligence Centre (MSTIC) as DEV-0530 but that calls itself H0lyGh0st has been developing & using ransomware in attacks since June 2021.
The group has successfully compromised small-to-mid-sized businesses—including manufacturing organisations, banks, schools, & event & meeting planning companies—in multiple countries starting as early as Sept., researchers from MTIC & Microsoft Digital Security Unit (MDSU) stated in a blog post published Thurs.
Encrypt All Files
H0lyGh0st’s standard method is to use a namesake ransomware to encrypt all files on the target device using the file extension .h0lyenc, then send the victim a sample of the files as proof.
The group interacts with victims on a .onion site that it maintains & on which it provides a contact form for victims to get in touch, researchers explained.
The group typically demands payment in Bitcoin in exchange for restoring access to the files. On its website, H0lyGh0st claims that it will not sell or publish victim data if they pay, researchers outlined.
However, it uses double-extortion to pressurise targets to pay, threatening to publish stolen data on social media or send it to the victims’ customers if they don’t meet ransom demands.
Introducing H0lyGh0st
H0lyGh0st’s ransomware campaigns are financially motivated, with researchers observing text linked to a ransom note that they intercepted in which attackers claim they aim to “close the gap between the rich & poor,” researchers suggested.
“They also attempt to legitimise their actions by claiming to increase the victim’s security awareness by letting the victims know more about their security posture,” they surmised
DEV-0530 also has connections with another N. Korean-based group tracked as PLUTONIUM, also known as Dark Seoul or Andariel, according to MSTIC, with researchers observing communications between the 2 groups. H0lyGh0st also has been seen using tools created exclusively by PLUTONIUM, they stated.
2 Families
Since it began using ransomware in June 2021 & until May 2022, H0lyGh0st has employed 2 custom-developed malware families–Sienna Purple & Sienna Blue, researchers explained. MSTIC identified 4 variants linked to these families: BTLC_C.exe, HolyRS.exe, HolyLock.exe, & BLTC.exe.
BTLC_C.exe is written in C++ & is classified as Sienna Purple, while the rest are written in the open source Go programming language, researchers observed. All of the variants are compiled into .exe to target Windows systems, they outlined.
Portable Ransomware
BLTC_C.exe is a portable ransomware developed by the group that was 1st seen in June 2021. However, it may have been an early version of the group’s development efforts, as it does not have many features compared to all malware variants in the Sienna Blue family, researchers explained.
Later in the group’s evolution, between Oct. 2021 & May 2022, MSTIC observed a cluster of new DEV-0530 ransomware variants written in Go, which they classify as Sienna Blue variants, they said.
Although new Go functions have been added to the various variants over time, all the ransomware in the Sienna Blue family share the same core Go functions, researchers observed. These features include various encryption options, string obfuscation, public key management, & support for the internet & intranet, researchers outlined.
Recent Variant
The latest ransomware variant to be used by the group is BTLC.exe, which researchers have seen in the wild since April of 2022, they said.
BTLC.exe can be configured to connect to a network share using the default username, password, & intranet URL hardcoded in the malware if the Server Base URL is not accessible from the device, researchers stated.
Persistence Mechanism
The malware also includes a persistence mechanism in which it creates or deletes a scheduled task called lockertask that can launch the ransomware.
Once the malware is successfully launched as an administrator, it tries to connect to the default Server Base URL hardcoded in the malware, attempts to upload a public key to the C2 server, & encrypts all files in the victim’s drive, they concluded.