Why North Korean cybercriminals are targeting businesses with ransomware
Microsoft says a ransomware gang calling itself H0lyGh0st may be sponsored by the North Korean government as a way for the country to offset its struggling economy.
Ransomware attacks are typically staged by private criminal groups to make money through victimizing vulnerable organizations. But what happens when a hostile nation-state sponsors that same tactic? A new report by the Microsoft Threat Intelligence Center examines a series of ransomware attacks with ties to North Korea.
Since June of 2021, a cybercriminal group dubbed DEV-0530 by Microsoft but calling itself H0lyGh0st has launched ransomware attacks primarily against small and mid-sized businesses across different countries. The gang encrypts sensitive files on a compromised system, sends the victim a sample file as proof of the attack and then demands payment in the form of Bitcoin to decrypt the data. If the ransom is paid, the files presumably are restored. If not, the group threatens to send the data to customers of the victim or publish them on social media.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
Beyond making money, H0lyGh0st tries to spin its crimes by claiming that they’re also being committed for magnanimous reasons. At its .onion website, the group asserts that it’s struggling to close the gap between the rich and the poor, helping the hungry and increasing the security awareness of its victims. The gang even has its own contact form through which it will respond to victims, explaining their vulnerabilities and telling them how to decrypt the compromised files once the ransom is paid.
The North Korean connection comes into play in a couple of ways. Analyzing the times and patterns of H0lyGh0st operations, Microsoft said that it found activity from the UTC+8 and UTC+9 time zones. UTC+9 is the time zone used in North Korea.
Further, Microsoft said that it also has seen certain connections between H0lyGh0st and a group called Plutonium. A North Korean cybercrime gang, Plutonium has attacked the energy and defense industries in India, South Korea and the U.S. The two groups have used the same infrastructure and similarly named custom malware controllers. Further, Microsoft has discovered H0lyGh0st email accounts communicating with the accounts of known Plutonium attackers.
Nation-states, even hostile ones, usually employ cyberattacks for espionage or political and military purposes. Why would a country turn to ransomware? Microsoft cited one possible motivation.
Assuming that the North Korean government is directly sponsoring the H0lyGh0st attacks, it may be doing so to bring in money to help prop up its own economy. Hit by sanctions, natural disasters, COVID-19 lockdowns and other calamities, North Korea has seen its economy weaken. To try to bounce back from its own financial downturn, the country could have been sponsoring ransomware attacks for the past several years.
“Poorer or heavily embargoed nation-states can find ransomware attacks an attractive means of raising capital not available to them through normal means,” said Chris Clements, VP of solutions architecture for Cerberus Sentinel. “Cryptocurrencies have made large scale monetary transfers possible outside of the traditional financial systems that have regulations and controls in place to prevent certain actions. A cybercrime group with limited funding can recognize large returns by targeting the softest targets like small businesses.”
However, Microsoft also concedes that the North Korean government may not be behind these ransomware incidents, in part because state-sponsored attacks typically target a much wider range of victims beyond those targeted by H0lyGh0st. Members of H0lyGh0st and Plutonium might simply be working individually to attack organizations for their own personal gain.
How to protect your business from ransomware attacks
Whomever is responsible for these ransomware attacks, all organizations should take steps to protect themselves. Toward that end, Microsoft offers several recommendations.
- Set up and regularly test a process to back up and restore your critical data.
- Use the Indicators of Compromise detailed in Microsoft’s report to determine if any of the indicators exist in your environment.
- Enforce multi-factor authentication on all accounts, devices and locations at all times.
- Set up passwordless authentication methods such as Windows Hello, FIDO keys or Microsoft Authenticator for any supported accounts. To manage accounts that still need passwords, use authenticator apps such as Microsoft Authenticator for MFA.
- Disable all legacy authentication.
- For Microsoft enterprise customers, implement the Azure Security Benchmark and follow the best practices for securing identity infrastructure. Make sure all cloud admin and tenant admin accounts are protected with the same level of security and credential hygiene as that used for domain admins.
- For small and mid-size companies that use Microsoft Defender for Business or Microsoft 365 Business Premium, turn on cloud-delivered protection in Microsoft Defender Antivirus to block new and unknown variants of malware and enable tamper protection to prevent attackers from stopping your security services.
- Use network protection to stop applications and users from accessing malicious domains and enable investigation and remediation in automated mode so that Microsoft Defender for Endpoint can act on alerts to mitigate breaches.
- Use device discovery to locate unmanaged devices that can be added to Microsoft Defender for Endpoint and protect user identities and credentials using Microsoft Defender for Identity.
“The best defenses most organizations can do to prevent ransomware, and really all hackers and malware, is to mitigate social engineering, patch their software, use phishing-resistant MFA, and use different and strong passwords on every site and service,” said Roger Grimes, data driven defense evangelist for KnowBe4. “Those four defenses, if done 100% effectively, would get rid of 99% of the risk of all hacking and malware.”