OP 15 July, 2022 - 10:59 PM
An emerging threat cluster originating from North Korea has been linked to developing and using ransomware in cyberattacks targeting small businesses since September 2021.
The group, which calls itself H0lyGh0st after the ransomware payload of the same name, is being tracked by the Microsoft Threat Intelligence Center under the moniker DEV-0530, a designation assigned for unknown, emerging, or a developing group of threat activity.
Targeted entities primarily include small-to-midsize businesses such as manufacturing organizations, banks, schools, and event and meeting planning companies.
"Along with their H0lyGh0st payload, DEV-0530 maintains an .onion site that the group uses to interact with their victims," the researchers said in a Thursday analysis.
"The group's standard methodology is to encrypt all files on the target device and use the file extension .h0lyenc, send the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange for restoring access to the files."
Ransom amounts demanded by DEV-0530 range anywhere between 1.2 and 5 bitcoins, although an analysis of the attacker's cryptocurrency wallet shows no successful ransom payments from its victims as of early July 2022.
DEV-0530 is believed to have connections with another North Korean-based group known as Plutonium (aka DarkSeoul or Andariel), a sub-group operating under the Lazarus umbrella (aka Zinc or Hidden Cobra).
The illicit scheme adopted by the threat actor is also known to take a leaf from the ransomware playbook, leveraging extortion tactics to apply pressure on victims into paying up or risk getting their information published on social media.
DEV-0530's dark web portal claims it aims to "close the gap between the rich and poor" and "help the poor and starving people," in a tactic that mirrors another ransomware family called GoodWill that compels victims into donating to social causes and providing financial assistance to people in need.
Source: HERE!
The group, which calls itself H0lyGh0st after the ransomware payload of the same name, is being tracked by the Microsoft Threat Intelligence Center under the moniker DEV-0530, a designation assigned for unknown, emerging, or a developing group of threat activity.
Targeted entities primarily include small-to-midsize businesses such as manufacturing organizations, banks, schools, and event and meeting planning companies.
"Along with their H0lyGh0st payload, DEV-0530 maintains an .onion site that the group uses to interact with their victims," the researchers said in a Thursday analysis.
"The group's standard methodology is to encrypt all files on the target device and use the file extension .h0lyenc, send the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange for restoring access to the files."
Ransom amounts demanded by DEV-0530 range anywhere between 1.2 and 5 bitcoins, although an analysis of the attacker's cryptocurrency wallet shows no successful ransom payments from its victims as of early July 2022.
DEV-0530 is believed to have connections with another North Korean-based group known as Plutonium (aka DarkSeoul or Andariel), a sub-group operating under the Lazarus umbrella (aka Zinc or Hidden Cobra).
The illicit scheme adopted by the threat actor is also known to take a leaf from the ransomware playbook, leveraging extortion tactics to apply pressure on victims into paying up or risk getting their information published on social media.
DEV-0530's dark web portal claims it aims to "close the gap between the rich and poor" and "help the poor and starving people," in a tactic that mirrors another ransomware family called GoodWill that compels victims into donating to social causes and providing financial assistance to people in need.
Source: HERE!