A North Korean threat actor group has been using ransomware payloads to compromise small businesses in several countries, according to Microsoft.
The group, dubbed "Holy Ghost," has been developing and using ransomware in its attacks since June 2021 and launching campaigns against small businesses since September 2021, Microsoft said. It also has connections to the Plutonium North Korean threat actor group and has communicated with this group.
What Happens During a Holy Ghost Attack?
Holy Ghost may exploit vulnerabilities such as CVE-2022-26352 (DotCMS remote code execution vulnerability) on public-facing web applications and content management systems, Microsoft reported. In doing so, Holy Ghost can target victims' networks.
If Holy Ghost compromises a network, it exfiltrates a copy of a victim's files, Microsoft stated. It encrypts the contents of a victim's device and replaces their file names with Base64-encoded versions of the file names and renames the extension. Next, Holy Ghost notifies the victim via email that it has stolen and encrypted their files, includes a sample of the stolen data to verify their claim and demands a ransom payment to recover the files.
Holy Ghost also maintains an .onion site to interact with victims, Microsoft noted. If a victim interacts with the site, Holy Ghost encrypts files on the victim's target device, sends the victim a sample of the files as proof it has stolen them and demands payment in Bitcoin in exchange for restoring access to the files. It then threatens to publish the victim's data on social media or send it to their customers if no payment is submitted.
How to Protect Against Holy Ghost Attacks
Small business MSPs and other organizations can use Microsoft Defender Antivirus to detect and block SiennaPurple and SiennaBlue, Microsoft stated. In addition, Microsoft Defender for Business and Microsoft 365 Business Premium include features to help these organizations protect against Holy Ghost.
Also, Microsoft is encouraging small business MSPs and other organizations to implement and validate a data backup and restoration plan to guard against Holy Ghost and other ransomware and extortion threats. It will continue to monitor Holy Ghost and provide indicators of compromise (IOCs) that organizations can use to track the threat actor group's past activity and explore ways to guard against future attacks.