North Korean Threat Actor Targeting SME Businesses with Ransomware
North Korean threat actors are targeting small and mid-sized businesses with ransomware, according to Microsoft Security researchers. The group of actors, going by the name H0lyGh0st, have been developing and conducting cross-national malware attacks for over a year, performing successful attacks as early as September 2021.
As well as using a ransomware payload, the group – tracked by Microsoft as DEV-0530 – maintains an .onion site to communicate with their victims. Utilizing the method of double extortion, their strategy involves encrypting “all files on the target device” and using the file extension .h0lyenc. They then “send the victim a sample of the files” as evidence before demanding a Bitcoin payment in exchange for “restoring access to the files.” Microsoft Threat Intelligence Center (MSTIC) has observed that there is likely overlap between H0lyGh0st and PLUTONIUM (aka DarkSeoul or Andariel), another North Korean-based group.
MSTIC has proposed two possible rationales for these ransomware attacks. The first possibility is that they are directly funded by the North Korean state for economic reasons to offset the financial hit the country has taken from international sanctions, natural disasters, drought and COVID-19 lockdowns. The second and equally plausible motivation is that non-state-affiliated individuals with ties to PLUTONIUM infrastructure and tools are simply “moonlighting for personal gain.”
The article closed by offering recommendations for organizations and individuals on how to protect against ransomware and extortion threats. These included:
- Building credential hygiene
- Auditing credential exposure
- Prioritizing deployment of Active Directory updates
- Cloud hardening
- Enforcing Multifactor Authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA from all devices, in all locations, at all times.
- Enabling passwordless authentication methods for accounts that support passwordless. For accounts that still require passwords, use authenticator apps
- Disabling legacy authentication.