North Korean Threat Actor Targeting SME Businesses with Ransomware

Security

North Korean threat actors are targeting small and mid-sized businesses with ransomware, according to Microsoft Security researchers. The group of actors, going by the name H0lyGh0st, have been developing and conducting cross-national malware attacks for over a year, performing successful attacks as early as September 2021. 

As well as using a ransomware payload, the group – tracked by Microsoft as DEV-0530 – maintains an .onion site to communicate with their victims. Utilizing the method of double extortion, their strategy involves encrypting “all files on the target device” and using the file extension .h0lyenc. They then “send the victim a sample of the files” as evidence before demanding a Bitcoin payment in exchange for “restoring access to the files.” Microsoft Threat Intelligence Center (MSTIC) has observed that there is likely overlap between H0lyGh0st and PLUTONIUM (aka DarkSeoul or Andariel), another North Korean-based group.

MSTIC has proposed two possible rationales for these ransomware attacks. The first possibility is that they are directly funded by the North Korean state for economic reasons to offset the financial hit the country has taken from international sanctions, natural disasters, drought and COVID-19 lockdowns. The second and equally plausible motivation is that non-state-affiliated individuals with ties to PLUTONIUM infrastructure and tools are simply “moonlighting for personal gain.” 

The article closed by offering recommendations for organizations and individuals on how to protect against ransomware and extortion threats. These included:

  1. Building credential hygiene
  2. Auditing credential exposure
  3. Prioritizing deployment of Active Directory updates
  4. Cloud hardening
  5. Enforcing Multifactor Authentication (MFA) on all accounts, remove users excluded from MFA, and strictly require MFA from all devices, in all locations, at all times.
  6. Enabling passwordless authentication methods for accounts that support passwordless. For accounts that still require passwords, use authenticator apps
  7. Disabling legacy authentication.

Products You May Like

Articles You May Like

Traffic Light Protocol for cybersecurity responders gets a revamp
Recovery From NHS Ransomware Attack May Take a Month
DeathStalker’s VileRAT Continues to Target Foreign and Crypto Exchanges
Cybercrime a Key Revenue Stream For North Korea’s Weapons Program
CISA Issues Warning on Active Exploitation of UnRAR Software for Linux Systems

Leave a Reply

Your email address will not be published.