Microsoft detailed new ransomware from a group calling itself H0lyGh0st that likely overlaps with the government-directed DarkSeoul.
According to a blog post from the Microsoft Threat Intelligence Center, H0lyGh0st targets victims of opportunity and was seen in several small- and medium-sized enterprises in multiple countries. It has been developing malware since June of last year.
While the group calls itself H0lyGh0st and HolyGhost on its onion page, and used versions of the word "Holy" across the malware and file extension names, Microsoft is tracking the group as DEV-0530. This article will use the HolyGhost name for reasons of readability and searchability.
Microsoft says that the infrastructure used in the attacks overlaps with that of DarkSeoul and that email accounts linked to HolyGhost have been seen communicating with those linked to DarkSeoul. The HolyGhost group appears to work during hours indicative of someone living in North Korea or an adjacent time zone. That leaves two possibilities, Microsoft believes: Either HolyGhost is a government-directed group raising money for a Kim regime beset by sanctions, or members of DarkSeoul are moonlighting. Neither would be out of character for adversarial government-directed hackers.
In the past, the ransomware group Evil Corp was itself sanctioned for cooperating with sanctioned espionage groups — in that case Russia — criminalizing ransom payment to the group. The Microsoft blog is new; it's too early to gauge whether that will be the case here.
For HolyGhost's part, the group claimed on its onion site — now down, but archived in part by Microsoft — to work with three goals in mind "[t]o close the gap between the rich and the poor," "[t]o help poor and starving people," and "[t]o increase security awareness."
HolyGhost's ransomware appears to split into two families, which Microsoft has dubbed SiennaBlue and SiennaPurple. SiennaPurple was written in C++ and used between June and October 2021. The only variant of SiennaPurple was BTLC_C.exe. SiennaBlue, which has been in use since October, is written in Go. There are three varieties (HolyRS.exe, HolyLock.exe and BTLC.exe), all built around the same core set of functions.
Microsoft says both SiennaPurple and SiennaBlue are detected by its WindowsDefender and advises standard ransomware prevention and preparedness to mitigate an attack.