As the US authorities increase the available reward for information on North Korean threat actors by $5m, threat researchers at Digital Shadows have been probing a new North Korean ransomware gang, dubbed H0lyGh0st, the existence of which was reported earlier this month by Microsoft.
The gang, which seems to specialise in targeting small and medium-sized enterprises (SMEs), has a modus operandi that is not all that different from other ransomware gangs – it favours double extortion tactics and operates a data leak website, among other things – but has some notable quirks that set it apart from its peers, according to Digital Shadows senior cyber threat intelligence analyst Chris Morgan.
While modern ransomware gangs are chiefly associated with Russia – 74% of ransom payments went to Russia-based groups in 2021, according to Chainalysis – North Korean groups such as Lazarus (with which H0lyGh0st may be linked through the DarkSeoul APT) did much to originate the genre through high-profile incidents such as WannaCry. And other North Korean ransomwares are not unheard of.
However, Morgan explained, North Korean ransomware operations face some unique challenges that are less troubling to Russian groups.
“Operating a cyber criminal operation from communist North Korea will present H0lyGh0st with a number of unique issues,” he said. “While the specific relationship with the state is unclear, it’s likely that H0lyGh0st will have to pay a significant percentage or even all of its profits to the North Korean government.
“While your average Russian cyber criminal is probably blowing his payments on a Lamborghini or dozens of bottles of Bollinger, realistically what can you spend your earnings on in the retail chains of Pyongyang? It certainly raises questions about the motivations of H0lyGh0st’s operators.”
“While your average Russian cyber criminal is probably blowing his payments on a Lamborghini or dozens of bottles of Bollinger, what can you spend your earnings on in the retail chains of Pyongyang? It raises questions about the motivations of H0lyGh0st’s operators”
Chris Morgan, Digital Shadows
Further challenges present themselves in terms of operating infrastructure and communicating with victims from inside a pariah state. The parlous state of North Korea’s internet services and its electrical grid mean that H0lyGh0st’s leak site is frequently knocked offline, and it does not post its victims’ data as frequently as others do. Morgan believes this may impact its credibility and its ability to ransom victims who assume they are dealing with an attacker that doesn’t have the means to operate like Conti or REvil.
H0lyGh0st is also likely to find it harder than others to identify developing techniques and attract new talent to its crew, said Morgan. Higher-profile operations maintain their success through a process of continuous improvement, evolving their techniques and burnishing their reputation. H0lyGh0st’s ability to do this is likely severely hindered.
However, said Morgan, there are distinct advantages to operating out of North Korea. “One observation from Microsoft was H0lyGh0st charged remarkably low ransom prices for victims. H0lyGh0st typically asks victims for a ransom of 1.2 to 5 bitcoins and is willing to lower the price to less than one-third of that during negotiations.
“To put that in context, while the price has fluctuated dramatically in the last year, one bitcoin is currently priced at around $20,000-24,000. That is dramatically lower than the majority of other ransomware groups.”
Indeed, he said, this may in fact make victims more likely to pay up on first contact, and potentially eliminates the need for protracted negotiations with victims, saving everyone time and money, although not in a good way.
H0lyGh0st also benefits from a certain degree of protection from international law enforcement. Thanks to North Korea’s isolation from the international community, western authorities’ only real options are issuing indictments or going after money laundering crypto platforms. They have little or no ability to conduct operations, seize infrastructure or make arrests – as frequently happened in Russia and Ukraine prior to the war.
Morgan said H0lyGh0st would likely play a continual, albeit limited, role in a wider repertoire of financially motivated cyber criminal activity – such as the targeting of vulnerable crypto and non-fungible token (NFT) platforms – coming out of North Korea.