Researchers at the Microsoft Threat Intelligence Center (MSTIC) have been tracking a North Korean ransomware operation for more than a year. The group, dubbed Holy Ghost, is tracked as DEV-0530 by MSTIC. The group does not have the notoriety of other ransomware groups as the group’s financial success has been limited compared to larger gangs. Early Holy Ghost variants did not have many features, but MSTIC notes the newer variants (HolyRS.exe, HolyLocker.exe, and BTLC.exe) have expanded over time to include multiple encryption options, string obfuscation, public key management, and internet/intranet support. MSTIC reports that the group may not be controlled by the North Korean government, but there is a connection between the two. MSTIC found communication between email accounts belonging to Holy Ghost and the Andariel, a threat actor part of the Lazarus Group under North Korea’s Reconnaissance General Bureau. The Holy Ghost victim site is currently down, but the group previously stated the purpose behind their attacks was to close the gap between rich and poor. It is common for ransomware groups to act as though their operation is for the greater good instead of a criminal endeavor.
Even though Holy Ghost threat actors may not be employed by the North Korean government, it is no surprise they are connected in some way. This is a common tactic that is also believed to be taking place in Russia. It is believed that intelligence services are leveraging threat actors to help shape the war in Ukraine. Microsoft has compiled recommended actions to take to mitigate the threat of Holy Ghost ransomware in their full report on the threat group, which can be found here: