A North Korea-linked hacker group has been attacking small businesses in various countries with a ransomware strain called H0lyGh0st since at least September 2021, Microsoft says.

Tracked by Microsoft’s Threat Intelligence Center (MSTIC) as DEV-0530, the group has been developing and using the H0lyGh0st ransomware since June 2021. MSTIC believes that DEV-0530 has ties with another North Korea-linked threat actor known as Plutonium (DarkSeoul or Andariel). While campaigns using H0lyGh0st are unique to DEV-0530, the group has been observed utilizing Plutonium’s custom tools in their attacks.

Active since at least 2014, Plutonium has primarily targeted the energy and defense industries in India, South Korea, and the US using a variety of tactics and techniques.

Like other ransomware gangs, DEV-0530 encrypts all files on the target device and uses the file extension .h0lyenc. It then sends the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange for restoring access to the files. Usually, the threat actor demanded a payment between 1.2 to 5 bitcoins and was willing to lower the price (in some cases to less than one-third of the initial ransom demand).

As part of the extortion tactics the group threatens to leak victim data on social media if the ransom is not paid. To interact with their victims DEV-0530 runs an .onion web portal, which says it aims to “close the gap between the rich and poor” and "help the poor and starving people." A similar tactic was observed in the Goodwill ransomware, discovered in May 2022.

“Between June 2021 and May 2022, MSTIC classified H0lyGh0st ransomware under two new malware families: SiennaPurple and SiennaBlue. Both were developed and used by DEV-0530 in campaigns. MSTIC identified four variants under these families – BTLC_C.exe, HolyRS.exe, HolyLock.exe, and BLTC.exe – and clustered them based on code similarity, C2 infrastructure including C2 URL patterns, and ransom note text,” Microsoft noted in its report.

The HolyRS.exe, HolyLock.exe, and BLTC.exe variants are written in Go, while BTLC_C.exe is written in C++.

Microsoft said that DEV-0530 managed to compromise several targets, mainly small-to-midsize businesses, including banks, schools, manufacturing organizations, and event and meeting planning companies. However, it appears that this campaign has not been profitable given that as of early July 2022, the attackers’ crypto wallet received no ransom payments from their victims.