H0lyGh0st Ransomware After Small and Midsize Businesses

ATTACK Simulator
3 min readAug 17, 2022
H0lyGh0st Ransomware After Small and Midsize Businesses

Microsoft has linked H0lyGh0st, a cyberthreat that emerged in June 2021 and targets small-to-midsized businesses, to North Korean state-sponsored attacks.

What is H0lyGh0st?

Microsoft Threat Intelligence Center (MSTIC) calls the threat DEV-0530 in a post. Researchers linked the group to several financially motivated North Korean state-sponsored attacks that had already affected various small and midsize companies. The ransomware gang has been active since June 2021.

Victimized businesses include manufacturing organizations, financial institutions, schools, and meeting planning companies from various countries.

H0lyGh0st follows a series of steps in their attacks: “The group’s standard methodology is to encrypt all files on the target device and use the file extension .h0lyenc, send the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange for restoring access to the files. As part of their extortion tactics, they also threaten to publish victim data on social media or send the data to the victims’ customers if they refuse to pay,” researchers wrote.

H0lyGh0st ransom note. Source: Microsoft

The ransomware gang also interacts with victims on a .onion site, where they provide a contact form for victims to get in touch.

“They also attempt to legitimize their actions by claiming to increase the victim’s security awareness by letting the victims know more about their security posture,” they noted.

H0lyGh0st is also connected to another North Korean-based threat group tracked as PLUTONIUM, also known as DarkSeoul or Andariel. According to MSTIC, communications between the two groups were spotted. H0lyGh0st also has been observed using tools created exclusively by PLUTONIUM in their attacks.

Latest H0lyGh0st Ransomware Variant

The latest ransomware variant used by the group is BTLC.exe, which researchers have observed in attacks since April of this year.

BTLC.exe can be configured to connect to a network share using the default username, password, and intranet URL hardcoded in the malware if the ServerBaseURL is not accessible from the device, researchers wrote.

The malware variant also features a persistence mechanism in which it creates or deletes a scheduled task called lockertask that can launch the ransomware. Once the malware is successfully launched as an administrator, it tries to connect to the default ServerBaseURL hardcoded in the malware, attempts to upload a public key to the C2 server, and encrypts all files in the victim’s drive.

As for the financial revenue for the threat actors, “the attackers frequently asked victims for anywhere from 1.2 to 5 Bitcoins. However, the attackers were usually willing to negotiate and, in some cases, lowered the price to less than one-third of the initial asking price. As of early July 2022, a review of the attackers’ wallet transactions shows that they have not successfully extorted ransom payments from their victims,” researchers noted.

Microsoft’s Recommendations

- Building credential hygiene
- Auditing credential exposure
- Prioritizing deployment of Active Directory updates
- Enforcing MFA on all accounts
- Enabling passwordless authentication methods
- Disabling legacy authentication

However, considering that the most important vector for ransomware infections is phishing emails, you must prioritize investing in a solid and comprehensive security awareness training program for your employees to ensure your ransomware resiliency.

Human error is a top threat in 2022 and your company’s worst enemy. Fight attacks with knowledge, and replace your employees’ predisposition to fall victim with awareness and vigilance.

ATTACK Simulator’s Security Awareness Training program will help you equip your employees with the necessary security knowledge and up-to-date security practices to keep your company safe from scammers and avoid potentially irreparable damage.


Feature Image: Photo by Jack Moreh from Freerange Stock


Microsoft North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware

Threatpost Emerging H0lyGh0st Ransomware Tied to North Korea



ATTACK Simulator

We’re a fresh startup that aims at creating a culture of security in every company by teaching security awareness through automated phishing simulations.