Microsoft on Thursday released their findings regarding H0lyGh0st, which is a group with ties to North Korea which utilizes a ransomware payload with the same name for its campaign and has successfully compromised small businesses in multiple countries, starting as early as September 2021.
Along with their H0lyGh0st payload, DEV-0530 maintains an .onion site that the group uses to interact with their victims. The group’s standard methodology is to encrypt all files on the target device and use the file extension .h0lyenc, send the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange for restoring access to the files. As part of their extortion tactics, they also threaten to publish victim data on social media or send the data to the victims’ customers if they refuse to pay. This blog is intended to capture part of MSTIC’s analysis of DEV-0530 tactics, present the protections Microsoft has implemented in our security products, and share insights on DEV-0530 and H0lyGh0st ransomware with the broader security community to protect mutual customers.
Saryu Nayyar, CEO and Founder, Gurucul had this comment:
“While ransomware is seemingly focused on getting paid to unlock your sensitive data, threat actors often return multiple times once they are successful at an attack, knowing the victim has paid once. We also know they often replicate the data for themselves for sale even as they lock organizations out of their own data. However, this additional extortion through threats of posting the already stolen data is another example of how threat actors find ways to extract more out of their victims. It feels like a never-ending cycle for targeted organizations. This reinforces the need to evaluate newer and more advanced technologies beyond current XDR and SIEM platforms as part of ongoing threat detection and response initiatives within security operations to prevent a successful detonation of ransomware. Prioritizing solutions that automate detection, prioritize seemingly random indicators of compromise for further investigation and even automating responses with a high-level of confidence and low impact are critical in deciding where to invest.”
I would take a good look at the Microsoft report on these threat actors as this is clearly a dangerous bunch of individuals.
Like this:
Like Loading...
Related
This entry was posted on July 17, 2022 at 8:02 am and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Microsoft Publishes Their Findings On The H0lyGh0st Ransomware Group
Microsoft on Thursday released their findings regarding H0lyGh0st, which is a group with ties to North Korea which utilizes a ransomware payload with the same name for its campaign and has successfully compromised small businesses in multiple countries, starting as early as September 2021.
Along with their H0lyGh0st payload, DEV-0530 maintains an .onion site that the group uses to interact with their victims. The group’s standard methodology is to encrypt all files on the target device and use the file extension .h0lyenc, send the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange for restoring access to the files. As part of their extortion tactics, they also threaten to publish victim data on social media or send the data to the victims’ customers if they refuse to pay. This blog is intended to capture part of MSTIC’s analysis of DEV-0530 tactics, present the protections Microsoft has implemented in our security products, and share insights on DEV-0530 and H0lyGh0st ransomware with the broader security community to protect mutual customers.
Saryu Nayyar, CEO and Founder, Gurucul had this comment:
“While ransomware is seemingly focused on getting paid to unlock your sensitive data, threat actors often return multiple times once they are successful at an attack, knowing the victim has paid once. We also know they often replicate the data for themselves for sale even as they lock organizations out of their own data. However, this additional extortion through threats of posting the already stolen data is another example of how threat actors find ways to extract more out of their victims. It feels like a never-ending cycle for targeted organizations. This reinforces the need to evaluate newer and more advanced technologies beyond current XDR and SIEM platforms as part of ongoing threat detection and response initiatives within security operations to prevent a successful detonation of ransomware. Prioritizing solutions that automate detection, prioritize seemingly random indicators of compromise for further investigation and even automating responses with a high-level of confidence and low impact are critical in deciding where to invest.”
I would take a good look at the Microsoft report on these threat actors as this is clearly a dangerous bunch of individuals.
Share this:
Like this:
Related
This entry was posted on July 17, 2022 at 8:02 am and is filed under Commentary with tags Microsoft. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.