Because the US authorities improve the out there reward for data on North Korean menace actors by $5m, menace researchers at Digital Shadows have been probing a brand new North Korean ransomware gang, dubbed H0lyGh0st, the existence of which was reported earlier this month by Microsoft.
The gang, which appears to specialize in focusing on small and medium-sized enterprises (SMEs), has a modus operandi that isn’t all that completely different from different ransomware gangs – it favours double extortion ways and operates an information leak web site, amongst different issues – however has some notable quirks that set it aside from its friends, in accordance with Digital Shadows senior cyber menace intelligence analyst Chris Morgan.
Whereas fashionable ransomware gangs are mainly related to Russia – 74% of ransom funds went to Russia-based teams in 2021, in accordance with Chainalysis – North Korean teams reminiscent of Lazarus (with which H0lyGh0st could also be linked by way of the DarkSeoul APT) did a lot to originate the style by way of high-profile incidents reminiscent of WannaCry. And different North Korean ransomwares usually are not remarkable.
Nonetheless, Morgan defined, North Korean ransomware operations face some distinctive challenges which might be much less troubling to Russian teams.
“Working a cyber legal operation from communist North Korea will current H0lyGh0st with plenty of distinctive points,” he stated. “Whereas the particular relationship with the state is unclear, it’s seemingly that H0lyGh0st should pay a big share and even all of its income to the North Korean authorities.
“Whereas your common Russian cyber legal might be blowing his funds on a Lamborghini or dozens of bottles of Bollinger, realistically what are you able to spend your earnings on within the retail chains of Pyongyang? It definitely raises questions in regards to the motivations of H0lyGh0st’s operators.”
“Whereas your common Russian cyber legal might be blowing his funds on a Lamborghini or dozens of bottles of Bollinger, what are you able to spend your earnings on within the retail chains of Pyongyang? It raises questions in regards to the motivations of H0lyGh0st’s operators” Chris Morgan, Digital Shadows
Additional challenges current themselves by way of working infrastructure and speaking with victims from inside a pariah state. The parlous state of North Korea’s web providers and its electrical grid imply that H0lyGh0st’s leak web site is ceaselessly knocked offline, and it doesn’t put up its victims’ information as ceaselessly as others do. Morgan believes this may occasionally influence its credibility and its capability to ransom victims who assume they’re coping with an attacker that doesn’t have the means to function like Conti or REvil.
H0lyGh0st can also be more likely to discover it tougher than others to determine creating methods and appeal to new expertise to its crew, stated Morgan. Greater-profile operations preserve their success by way of a means of steady enchancment, evolving their methods and burnishing their fame. H0lyGh0st’s capability to do that is probably going severely hindered.
Nonetheless, stated Morgan, there are distinct benefits to working out of North Korea. “One statement from Microsoft was H0lyGh0st charged remarkably low ransom costs for victims. H0lyGh0st sometimes asks victims for a ransom of 1.2 to five bitcoins and is prepared to decrease the value to lower than one-third of that in negotiations.
“To place that in context, whereas the value has fluctuated dramatically within the final 12 months, one bitcoin is at the moment priced at round $20,000-24,000. That’s dramatically decrease than the vast majority of different ransomware teams.”
Certainly, he stated, this may occasionally actually make victims extra more likely to pay up on first contact, and doubtlessly eliminates the necessity for protracted negotiations with victims, saving everybody money and time, though not in a great way.
H0lyGh0st additionally advantages from a sure diploma of safety from worldwide legislation enforcement. Due to North Korea’s isolation from the worldwide group, western authorities’ solely actual choices are issuing indictments or going after cash laundering crypto platforms. They’ve little or no capability to conduct operations, seize infrastructure or make arrests – as ceaselessly occurred in Russia and Ukraine previous to the battle.
Morgan stated H0lyGh0st would seemingly play a continuing, albeit restricted, function in a wider repertoire of financially motivated cyber legal exercise – such because the focusing on of weak crypto and non-fungible token (NFT) platforms – popping out of North Korea.
