The Microsoft Threat Intelligence Center( MSTIC) experimenters linked the activity of the Holy Ghost ransomware( H0lyGh0st) operation to a North Korea- linked group they tracked as DEV- 0530.


The Holy Ghost ransomware gang has been active since June 2021 and it conducted ransomware attacks against small businesses in multiple countries. The list of victims includes manufacturing associations, banks, schools, and event and meeting planning companies. MSTIC linked DEV- 0530 to another North Korean- grounded group tracked as PLUTONIUM( aka DarkSeoul or Andariel)

The researchers noticed that H0lyGh0st ransomware used custom tools created by the PLUTONIUM APT. Like other operations, H0lyGh0st adopt a double extortion model threatening victims to publish their data in case they do n’t pay the rescue. The group maintains an. onion point, which is used by the group to interact with their victims.

The Holy Ghost ransomware appends the file extension. h0lyenc to filenames of encrypted files. Microsoft experimenters tracked the Holy Ghost ransomware as SiennaPurple(BTLC_C.exe), the experts noticed that early variants didn't support numerous features compared to the most recent ones. Microsoft tracks the recent variants as Sienna Blue (HolyRS.exe, Holy-Locker.exe, and BTLC.exe), unlike the aged ones they're written in Go language. TheHolyRS.exe was first detected in October 2021,HolyLocker.exe in March 2022 andBTLC.exe in April 2022.


“Based on geopolitical observations by global experts on North Korean affairs and circumstantial observations, Microsoft analysts assess the use of ransomware by North Korea-based actors is likely motivated by two possible objectives. The first possibility is that the North Korean government sponsors this activity.” concludes Microsoft. “To offset the losses from these economic setbacks, the North Korean government could have sponsored cyber actors stealing from banks and cryptocurrency wallets for more than five years. If the North Korean government is ordering these ransomware attacks, then the attacks would be yet another tactic the government has enabled to offset financial losses. However, state-sponsored activity against cryptocurrency organizations has typically targeted a much broader set of victims than observed in DEV-0530 victimology. Because of this, it is equally possible that the North Korean government is not enabling or supporting these ransomware attacks. Individuals with ties to PLUTONIUM infrastructure and tools could be moonlighting for personal gain. This moonlighting theory might explain the often-random selection of victims targeted by DEV-0530.”

The Sienna Blue variant evolved over time by enforcing multiple encryption options, string obfuscation, public key operation, and support for the internet and intranet. The threat actors asked victims to pay a rescue from1.2 to 5 Bitcoins, allowing a negotiation of the amount. The analysis of the attackers ’ wallet deals shows that they failed to wring ransom payments from their victims. The report published by Microsoft also includes Indicators of compromise( IOCs) for this threat and recommendations to mitigate the threat. 

-Prameet