An emerging threat cluster originating from North Korea has been linked to developing and using ransomware in cyberattacks targeting small businesses since September 2021.
The group, which calls itself H0lyGh0st after the ransomware payload of the same name, is being tracked by the Microsoft Threat Intelligence Centre under the moniker DEV-0530, a designation assigned for unknown, emerging, or a developing group of threat activity.
Targeted entities primarily include small-to-midsize businesses such as manufacturing organizations, banks, schools, and event and meeting planning companies.
“Along with their H0lyGh0st payload, DEV-0530 maintains an .onion site that the group uses to interact with their victims,” the researchers said in a Thursday analysis.
“The group’s standard methodology is to encrypt all files on the target device and use the file extension .h0lyenc, send the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange for restoring access to the files.”
images from Hacker News