Unearthing the H0lyGh0st - Cyber Criminals Targeting SMBs

It is no secret that small and midsize businesses (SMBs) lack the resources to maintain a robust security posture. Therefore, cybercriminals increasingly exploit SMBs more than larger organizations with sophisticated security controls. Recently, we have noticed financially-motivated threat actors employing advanced tactics, techniques, and procedures (TTPs) that were once attributed to state-sponsored, advanced persistent threat (APT) actors. These cybercriminals using sophisticated, APT-like TTPs against SMBs are often considered to be moonlighting; this article focuses on a new group in the spotlight, H0lyGh0st.


H0lyGh0st is a cybercriminal group based in North Korea. Operating like a ransomware group, they actively carry out cybercriminal activities, including malware development and deployment, leveraging the double-extortion tactic to encrypt stolen data and pressure victims into making ransom payments. As early as September 2021, we observed H0lyGh0st launching targeted cyberattacks against SMBs in diverse sectors, including industrial manufacturing, financial services, and higher education institutions. 


Threat Actor Analysis

H0lyGh0st is arguably a ransomware group with access to sophisticated attack capabilities we have seen displayed in the wild by state-sponsored APT actors. Using its namesake ransomware, these threat actors encrypt files on target systems. Their operational process includes:


●      Deploying the ".h0lyenc" file extension to a system.

●      Sending encrypted file samples to the victims as evidence of a compromise.

●      Demanding ransom for the decryption key. 


To maintain a secure line with their victims, the H0lyGh0st group communicates via a ".onion” hosted site they control: Figure 1 shows a real-life example of a welcome message on the H0lyGh0st website; Figure 2 shows instructions for victims; Figure 3 shows the initial message H0lyGh0st sends to their victims notifying them of the compromise. 


Although on their site, they claim to be "Robin Hood,” H0lyGh0st are known to prey on SMBs with inadequate security infrastructure, unlike larger enterprises with sophisticated security controls. After the threat actors get their foot into a victim’s network, they move laterally across the network seeking exploitable vulnerabilities that allow them to steal sensitive information. 


Figure 1: The H0lyGh0st group's website's welcome message.

Figure 2: Instruction for victims on the H0lyGh0st site.


Figure 3: Email sent to the victim by H0lyGh0st.


They ask for a ransom payment in BTC (bitcoin), which usually ranges from 1.5 BTC to 5 BTC. The organization threatens to disseminate stolen sensitive information on social media platforms or sell it to its competitors if the ransom is not paid.


Affiliations with other North Korean threat actors


Affiliated APT Group —PLUTONIUM

Security researchers discovered technical similarities between H0lyGh0st and PLUTONIUM, a subset of the North Korean-state-sponsored group known as Lazarus. For example, both threat actors share similar TTPs, especially as security researchers discovered email communications between members of both threat groups. Furthermore, while deploying malicious artifacts on victim networks, H0lyGh0st leveraged attack tools and infrastructures owned and operated by PLUTONIUM. In addition, the attack vectors both attack groups leverage to deploy custom malware controllers is similar, thus indicating close ties.



The SiennaPurple Family Connection

H0lyGh0st's first ransomware was BTLC C.exe. BTLC C.exe is a simple malware payload compared to HolyRs.exe, HolyLock.exe, and BLTC.exe. The BLTC C.exe malware executes only with administrator privileges. Otherwise, a hard-coded error message will appear saying that the program needs an admin user. This malware employs string obfuscation; it subtracts "0x30" from a string's hex values. For example, the C2 hard-coded IP address, 192[.]46[.]19[.]123, of the main_ServerBaseURL: hxxp://192[.]46[.]19[.]123:8888 is encoded as "aic^ef^bi^abc0". In addition, the Indicators of Compromise (IoCs) discovered in the decoded malware exhibit strong similarities to other SiennaBlue family variations in terms of C2 infrastructure and TTP beacon URL structure (access. PHP?order=AccessRequest&cmn). 



Figure 4: The evolution of H0lyGh0st’s payload over time.



Anatomy of Attack Methodologies 


MITRE ATT&CK Techniques Used by H0lyGh0st


The MITRE ATT&CK matrix is aggressively working on detecting cyberattack tactics and procedures. According to MITRE, the following are the identified tactics and techniques employed by H0lyGh0st ransomware:

Indicators of Compromise (IoCs)

The following are the IoCs being used by h0lyGhost ransomware to compromise vulnerable security systems:

Mitigation Considerations

Removing H0lyGh0st ransomware from an operating system will prevent it from encrypting additional files. However, removal will not recover previously damaged data. Therefore, the only option is to restore the data from a backup (if available). As a result, we strongly advise making backups in many places (e.g., distant servers, disconnected storage devices, etc.) to prevent irreversible data loss.


Recommendations for Attack Mitigation

Although H0lyGh0st ransomware targets SMBs from diverse industries, organizations are encouraged to implement technical and administrative controls, including a proactive evaluation of data backup and recovery plans. However, an organization can mitigate H0lyGh0st’s attack methods by considering the following security best practices:


·     Establish a proactive credential hygiene program. 

·     Audit credential exposures across your infrastructure. 

·     Prioritize the deployment of Active Directory updates. 

·     Harden cloud computing environment by ensuring that cloud admins/tenant admins receive the same security and credential hygiene as domain admins.

·     Leverage advanced security tools to monitor and analyze user activities on your network (cloud-based or on-prem). 

·     Enforce multi-factor authentication (MFA) on all accounts, removing users excluded from MFA, and strictly requiring MFA from all devices, in all locations, at all times.

·     EDR may stop dangerous artifacts even when anon-Microsoft antivirus doesn't identify the threat or while Microsoft DefenderAntivirus operates in passive mode. In block mode, EDR blocks Microsoft ThreatIntelligence indications.

o  Find unmanaged devices and add them to your EDR solution to boost visibility.

o  Enable automatic investigation and remediation capabilities on your endpoint security tools to fix security incidents.



Cybercriminals leverage human error and system vulnerabilities to steal and siphon funds for personal gain. However, today rogue nation states are turning to cyber threat as a tool to circumvent sanctions. Thus, their first target is small and medium-sized businesses, usually lower-hanging fruits. 


As a North Korean-based ransomware group, security experts believe that H0lyGh0st works in collaboration with state-sponsored threat actors (in terms of sharing attack tooling and methodologies) to help advance the military and economic interests of the North Korean government. Since September 2021, H0lyGh0st ransomware (CVE-2022-26352) has exploited unpatched vulnerabilities in online apps by encrypting data files on the selected instances using .h0lyenc. In 2021-2022, the attackers published four H0lyGh0st ransomware samples (TLC C.exe, HolyRS.exe, HolyLock.exe, and BLTC.exe) targeting Windows operating systems. 


As sanctions continue to impact economic and social life in rogue nations states like North Korea, we expect the government to continue to rely heavily on cybercriminal groups to steal funds to help offset the effects of the sanction and uphold malicious programs, such as nuclear weapons programs and military assaults against other nations. As the cyber threat landscape continues to evolve, cybersecurity experts expect to see more financially cybercriminals leveraging attack tools owned and controlled by state-sponsored APT groups. With central backing and resources from rogue nation states, ransomware attacks against SMBs could likely become much more sophisticated. 


ContraForce is everything you need to manage your security service delivery with confidence.

Related Posts