Microsoft says a ransomware gang calling itself H0lyGh0st may be funded by the North Korean government as a way for the country to offset its struggling economy.
Ransomware attacks are often orchestrated by private criminal groups to make money through victimizing vulnerable organizations. But what happens when a hostile state-state sponsors the same tactic? One new report of the Microsoft Threat Intelligence Center examines a series of ransomware attacks with ties to North Korea.
Since June 2021, a cybercriminal group known as Microsoft’s DEV-0530 but claiming to be H0lyGh0st has been conducting ransomware attacks mainly targeting small and medium businesses across different countries . The gang encrypts sensitive files on a compromised system, sends victims a sample file as proof of the attack, and then demands payment in the form of Bitcoin to decrypt the data. If the ransom is paid, the files will presumably be restored. Otherwise, the group threatens to send the data to the victim’s customers or publish it on social media.
UNDERSTAND: Password Breach: Why Pop Culture and Passwords Don’t Go Together (Free PDF) (TechRepublic)
In addition to making money, H0lyGh0st also tries to turn its crimes around by claiming that they are also being committed for noble causes. At their .onion website, the group claims that they are fighting to close the gap between rich and poor, help the hungry and raise security awareness for victims. The gang even has its own contact form through which it responds to victims, explaining their vulnerabilities and telling them how to decrypt compromised files once the ransom is paid. .
The link between North Korea works in a number of ways. Analyzing H0lyGh0st’s time and activity pattern, Microsoft said it found activity between the UTC+8 and UTC+9 time zones. UTC+9 is the time zone used in North Korea.
Furthermore, Microsoft says it has also seen certain connections between H0lyGh0st and a group called Plutonium. A North Korean cybercriminal gang, Plutonium has attacked the energy and defense industries in India, South Korea and the US. Furthermore, Microsoft discovered H0lyGh0st email accounts communicating with the accounts of known Plutonium attackers.
States, even hostile ones, often use cyberattacks for espionage or political and military purposes. Why would a country turn to ransomware? Microsoft cited a possible motivation.
Assuming that the North Korean government is directly funding the H0lyGh0st attacks, it may be doing so to bring in money to help boost its own economy. Affected by sanctions, natural disasters, COVID-19 lockdowns, and other disasters, North Korea has seen its economy weaken. To try to recover from its own financial downturn, the country may have funded ransomware attacks over the past few years.
“Poorer or heavily embargoed countries may find ransomware attacks an attractive fundraising method,” said Chris Clements, Vice President of Solution Architecture at Cerberus Sentinel. they are not available through conventional means. “Cryptocurrencies have made large-scale remittances outside of traditional financial systems that have regulations and controls to prevent certain actions. A group of cybercriminals with limited funding can realize huge profits by targeting the softest of targets like small businesses.”
However, Microsoft also acknowledges that the North Korean government may not be behind these ransomware incidents, in part because state-sponsored attacks often target far more victims than those targeted by H0lyGh0st target. Members of H0lyGh0st and Plutonium may simply be working individually to attack organizations for their own personal gain.
How to protect your business from ransomware attacks
Whoever is responsible for these ransomware attacks, all organizations should take steps to protect themselves. To that end, Microsoft makes several recommendations.
- Set up and regularly test back up and restore your important data.
- Using the Compromise Indicators detailed in Microsoft report to determine if any metrics exist in your environment.
- Enforce multi-factor authentication across all accounts, devices, and locations at all times.
- Set up passwordless authentication methods like Windows Hello, FIDO key, or Microsoft Authenticator for any of the supported accounts. To manage accounts that still require a password, use authentication apps like Microsoft Authenticator for MFA.
- Turn off all legacy validation.
- For Microsoft business customers, deploy Azure Security Benchmark and follow best practices for securing identity infrastructure. Ensure that all cloud admin accounts and tenant admins are protected with same level of credential security and hygiene as used for domain administrators.
- For small and medium-sized companies using Microsoft Defender for Business or Microsoft 365 Business Premium, enable cloud-delivered protection in Microsoft Defender Antivirus to block new and unknown variants of malware and activate anti-theft protection to prevent attackers from stopping your security services.
- Use network protection to prevent apps and users from accessing malicious domains and enable Investigate and fix in automatic mode so that Microsoft Defender for Endpoint can issue warnings to reduce violations.
- Use Device discovery to locate unmanaged devices that may be added to Microsoft Defender for Endpoint and protect users’ identities and credentials using Microsoft Defender for Identity.
“The best defense most organizations can do to stop ransomware, and indeed all hackers and malware, is social engineering mitigations, patching their software,” said Roger. them, use anti-phishing MFA and use strong and different passwords on every website and service. Grimes, data-driven protection evangelist for KnowBe4. “Those four protections, if implemented 100% effectively, eliminate 99% of the risk of attacks and malware.”
