Because the US authorities improve the out there reward for data on North Korean menace actors by $5m, menace researchers at Digital Shadows have been probing a brand new North Korean ransomware gang, dubbed H0lyGh0st, the existence of which was reported earlier this month by Microsoft.
The gang, which appears to concentrate on concentrating on small and medium-sized enterprises (SMEs), has a modus operandi that isn’t all that completely different from different ransomware gangs – it favours double extortion techniques and operates a knowledge leak web site, amongst different issues – however has some notable quirks that set it aside from its friends, in accordance with Digital Shadows senior cyber menace intelligence analyst Chris Morgan.
Whereas fashionable ransomware gangs are mainly related to Russia – 74% of ransom funds went to Russia-based teams in 2021, in accordance with Chainalysis – North Korean teams akin to Lazarus (with which H0lyGh0st could also be linked by means of the DarkSeoul APT) did a lot to originate the style by means of high-profile incidents akin to WannaCry. And different North Korean ransomwares are usually not unparalleled.
Nevertheless, Morgan defined, North Korean ransomware operations face some distinctive challenges which can be much less troubling to Russian teams.
“Working a cyber felony operation from communist North Korea will current H0lyGh0st with plenty of distinctive points,” he stated. “Whereas the precise relationship with the state is unclear, it’s possible that H0lyGh0st should pay a major proportion and even all of its earnings to the North Korean authorities.
“Whereas your common Russian cyber felony might be blowing his funds on a Lamborghini or dozens of bottles of Bollinger, realistically what are you able to spend your earnings on within the retail chains of Pyongyang? It actually raises questions in regards to the motivations of H0lyGh0st’s operators.”
“Whereas your common Russian cyber felony might be blowing his funds on a Lamborghini or dozens of bottles of Bollinger, what are you able to spend your earnings on within the retail chains of Pyongyang? It raises questions in regards to the motivations of H0lyGh0st’s operators” Chris Morgan, Digital Shadows
Additional challenges current themselves when it comes to working infrastructure and speaking with victims from inside a pariah state. The parlous state of North Korea’s web companies and its electrical grid imply that H0lyGh0st’s leak website is regularly knocked offline, and it doesn’t publish its victims’ information as regularly as others do. Morgan believes this may occasionally influence its credibility and its potential to ransom victims who assume they’re coping with an attacker that doesn’t have the means to function like Conti or REvil.
H0lyGh0st can be more likely to discover it tougher than others to establish creating methods and entice new expertise to its crew, stated Morgan. Larger-profile operations keep their success by means of a technique of steady enchancment, evolving their methods and burnishing their status. H0lyGh0st’s potential to do that is probably going severely hindered.
Nevertheless, stated Morgan, there are distinct benefits to working out of North Korea. “One remark from Microsoft was H0lyGh0st charged remarkably low ransom costs for victims. H0lyGh0st sometimes asks victims for a ransom of 1.2 to five bitcoins and is prepared to decrease the value to lower than one-third of that in negotiations.
“To place that in context, whereas the value has fluctuated dramatically within the final yr, one bitcoin is at the moment priced at round $20,000-24,000. That’s dramatically decrease than nearly all of different ransomware teams.”
Certainly, he stated, this may occasionally in actual fact make victims extra more likely to pay up on first contact, and doubtlessly eliminates the necessity for protracted negotiations with victims, saving everybody money and time, though not in a great way.
H0lyGh0st additionally advantages from a sure diploma of safety from worldwide legislation enforcement. Because of North Korea’s isolation from the worldwide neighborhood, western authorities’ solely actual choices are issuing indictments or going after cash laundering crypto platforms. They’ve little or no potential to conduct operations, seize infrastructure or make arrests – as regularly occurred in Russia and Ukraine previous to the battle.
Morgan stated H0lyGh0st would possible play a continuous, albeit restricted, function in a wider repertoire of financially motivated cyber felony exercise – such because the concentrating on of susceptible crypto and non-fungible token (NFT) platforms – popping out of North Korea.
