Microsoft says a ransomware gang calling itself H0lyGh0st may be sponsored by the North Korean government as a way for the country to compensate for its struggling economy.
Ransomware attacks are often organized by private criminal groups to make money by victimizing vulnerable organizations. But what happens when a hostile nation-state sponsors the same tactic? A new report from the Microsoft Threat Intelligence Center examines a series of ransomware attacks linked to North Korea.
Since June 2021, a group of cybercriminals named DEV-0530 by Microsoft, but going by the name H0lyGh0st, has launched ransomware attacks mainly against small and medium-sized businesses in different countries. The gang encrypts sensitive files on a compromised system, sends the victim a sample file as proof of the attack, and then demands payment in the form of Bitcoin to decrypt the data. If the ransom is paid, the files are presumably restored. If not, the group threatens to send the data to the victim’s clients or post it on social media.
WATCH: Password Cracking: Why Pop Culture and Passwords Don’t Mix (Free PDF) (Republic of Technology)
Beyond making money, H0lyGh0st tries to misrepresent his crimes by claiming that they are also being committed for magnanimous reasons. On its .onion website, the group claims it is fighting to bridge the gap between rich and poor, helping the hungry and raising the safety awareness of its victims. The gang even has its own contact form through which it will respond to victims, explaining its vulnerabilities and telling them how to decrypt compromised files once the ransom is paid.
The North Korean connection comes into play in a couple of ways. Analyzing the times and patterns of H0lyGh0st operations, Microsoft said it found activity in the UTC+8 and UTC+9 time zones. UTC+9 is the time zone used in North Korea.
Furthermore, Microsoft said that it has also seen certain connections between H0lyGh0st and a group called Plutonium. Plutonium, a North Korean cybercrime gang, has attacked the energy and defense industries in India, South Korea, and the US. The two groups have used the same infrastructure and custom malware drivers with similar names. Additionally, Microsoft has discovered H0lyGh0st email accounts that communicate with the accounts of known Plutonium attackers.
Nation-states, even hostile ones, often employ cyberattacks for espionage or political and military purposes. Why would a country resort to ransomware? Microsoft cited a possible motivation.
Assuming the North Korean government is directly sponsoring the H0lyGh0st attacks, it may be doing so to raise money to help prop up its own economy. Hit by sanctions, natural disasters, COVID-19 lockdowns and other calamities, North Korea has seen its economy weaken. In trying to recover from its own financial downturn, the country may have been sponsoring ransomware attacks for the past few years.
“Poorer or heavily foreclosed nation-states may find ransomware attacks an attractive means of raising capital not available to them through normal means,” said Chris Clements, vice president of solutions architecture at Cerberus Sentinel. “Cryptocurrencies have made large-scale money transfers possible outside of traditional financial systems that have regulations and controls to prevent certain actions. A cybercrime group with limited funds can reap huge profits by targeting weaker targets like small businesses.”
However, Microsoft also acknowledges that the North Korean government may not be behind these ransomware incidents, in part because state-sponsored attacks typically target a much broader range of victims than those previously mentioned. points H0lyGh0st. Members of H0lyGh0st and Plutonium could simply be working individually to attack organizations for their own personal gain.
How to protect your business from ransomware attacks
Whoever is responsible for these ransomware attacks, all organizations need to take steps to protect themselves. To that end, Microsoft offers several recommendations.
- Set up and regularly test a process for backing up and restoring your critical data.
- Use the indicators of compromise detailed in the Microsoft report to determine if any of the indicators exist in your environment.
- Enforce multi-factor authentication across all accounts, devices, and locations at all times.
- Set up passwordless authentication methods like Windows Hello, FIDO keys, or Microsoft Authenticator for any supported account. To manage accounts that still require passwords, use authentication apps like Microsoft Authenticator for MFA.
- Disable all legacy authentication.
- For Microsoft enterprise customers, implement the Azure Security Benchmark and follow best practices to protect identity infrastructure. Ensure that all cloud admin and tenant admin accounts are protected with the same level of security and credential hygiene as that used for domain admins.
- For small and medium-sized businesses using Microsoft Defender for Business or Microsoft 365 Business Premium, turn on cloud protection in Microsoft Defender Antivirus to block new and unknown variants of malware and enable tamper protection to prevent attackers from stopping your services of security.
- Use network protection to prevent apps and users from accessing malicious domains, and enable automated investigation and remediation so that Microsoft Defender for Endpoint can act on alerts to mitigate violations.
- Use device discovery to locate unmanaged devices that can be added to Microsoft Defender for Endpoint and protect user identities and credentials with Microsoft Defender for Identity.
“The best defense most organizations can do to prevent ransomware, and really all hackers and malware, is to mitigate social engineering, patch their software, use phishing-resistant MFA, and use different, strong passwords on each password. site and service,” said Roger. Grimes, data-driven advocacy evangelist for KnowBe4. “Those four defenses, if done 100% effectively, would eliminate 99% of the risk of hacking and malware.”