Researchers at the Microsoft Threat Intelligence Center (MSTIC) have been tracking a North Korean ransomware operation for more than a year. The group, dubbed Holy Ghost, is tracked as DEV-0530 by MSTIC. The group does not have the notoriety of other ransomware groups as the group’s financial success has been limited compared to larger gangs. Early Holy Ghost variants did not have many features, but MSTIC notes the newer variants (HolyRS.exe, HolyLocker.exe, and BTLC.exe) have expanded over time to include multiple encryption options, string obfuscation, public key management, and internet/intranet support. MSTIC reports that the group may not be controlled by the North Korean government, but there is a connection between the two. MSTIC found communication between email accounts belonging to Holy Ghost and the Andariel, a threat actor part of the Lazarus Group under North Korea’s Reconnaissance General Bureau. The Holy Ghost victim site is currently down, but the group previously stated the purpose behind their attacks was to close the gap between rich and poor. It is common for ransomware groups to act as though their operation is for the greater good instead of a criminal endeavor.