www.microsoft.com
Open in
urlscan Pro
2a02:26f0:3100:1ad::356e
Public Scan
Submitted URL: https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-acto
Effective URL: https://www.microsoft.com/en-us/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-wi...
Submission: On June 09 via api from IN — Scanned from DE
Effective URL: https://www.microsoft.com/en-us/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-wi...
Submission: On June 09 via api from IN — Scanned from DE
Form analysis 2 forms found in the DOM
Name: searchForm — GET https://www.microsoft.com/en-us/security/site-search
<form class="c-search" autocomplete="off" id="searchForm" name="searchForm" role="search" action="https://www.microsoft.com/en-us/security/site-search" method="GET" data-seautosuggest=""
data-seautosuggestapi="https://www.microsoft.com/msstoreapiprod/api/autosuggest"
data-m="{"cN":"GlobalNav_Search_cont","cT":"Container","id":"c3c1c9c3c1m1r1a1","sN":3,"aN":"c1c9c3c1m1r1a1"}" aria-expanded="false"
style="overflow-x: visible;">
<div class="x-screen-reader" aria-live="assertive"></div>
<input id="cli_shellHeaderSearchInput" aria-label="Search Expanded" aria-autocomplete="list" aria-expanded="false" aria-controls="universal-header-search-auto-suggest-transparent" aria-owns="universal-header-search-auto-suggest-ul" type="search"
name="q" role="combobox" placeholder="Search Microsoft Security" data-m="{"cN":"SearchBox_nav","id":"n1c3c1c9c3c1m1r1a1","sN":1,"aN":"c3c1c9c3c1m1r1a1"}" data-toggle="tooltip"
data-placement="right" title="Search Microsoft Security" data-open="false" style="overflow-x: visible;">
<button id="search" aria-label="Search Microsoft Security" class="c-glyph" data-m="{"cN":"Search_nav","id":"n2c3c1c9c3c1m1r1a1","sN":2,"aN":"c3c1c9c3c1m1r1a1"}"
data-bi-mto="true" aria-expanded="false" style="overflow-x: visible;">
<span role="presentation" style="overflow-x: visible;">Search</span>
<span role="tooltip" class="c-uhf-tooltip c-uhf-search-tooltip" style="overflow-x: visible;">Search Microsoft Security</span>
</button>
<div class="m-auto-suggest" id="universal-header-search-auto-suggest-transparent" role="group" style="overflow-x: visible;">
<ul class="c-menu" id="universal-header-search-auto-suggest-ul" aria-label="Search Suggestions" aria-hidden="true" data-bi-dnt="true" data-bi-mto="true" data-js-auto-suggest-position="default" role="listbox" data-tel="jsll"
data-m="{"cN":"search suggestions_cont","cT":"Container","id":"c3c3c1c9c3c1m1r1a1","sN":3,"aN":"c3c1c9c3c1m1r1a1"}" style="overflow-x: visible;"></ul>
<ul class="c-menu f-auto-suggest-no-results" aria-hidden="true" data-js-auto-suggest-postion="default" data-js-auto-suggest-position="default" role="listbox" style="overflow-x: visible;">
<li class="c-menu-item" style="overflow-x: visible;"> <span tabindex="-1" style="overflow-x: visible;">No results</span></li>
</ul>
</div>
</form>https://www.microsoft.com/en-us/security/blog/
<form role="search" id="searchform-1" action="https://www.microsoft.com/en-us/security/blog/" class="search-form" type="searchForm">
<meta itemprop="target" content="https://www.microsoft.com/en-us/security/blog/?s={s}">
<label for="searchform-1-field" class="sr-only"> Search the Microsoft security blog </label>
<div class="bg-white border border-gray-300 d-flex">
<input itemprop="query-input" class="form-control form-control-sm border-0 flex-grow-1 h-100 py-2" type="search" id="searchform-1-field" name="s" placeholder="Search the blog" value="">
<button class="btn btn-link-secondary m-0 py-1" type="submit">
<span class="sr-only">Submit</span>
<span class="svg" aria-hidden="true">
<svg fill="none" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 12 13" width="13" height="12">
<path d="M4.833.097a4.833 4.833 0 0 1 3.753 7.879l3.268 3.267a.5.5 0 0 1-.651.756l-.057-.049L7.88 8.683A4.833 4.833 0 1 1 4.833.097Zm0 1a3.833 3.833 0 1 0 0 7.666 3.833 3.833 0 0 0 0-7.666Z" fill="#4C4C51"></path>
</svg> </span>
</button>
</div>
</form>Text Content
We use optional cookies to improve your experience on our websites, such as
through social media connections, and to display personalized advertising based
on your online activity. If you reject optional cookies, only cookies necessary
to provide you the services will be used. You may change your selection by
clicking “Manage Cookies” at the bottom of the page. Privacy Statement
Third-Party Cookies
Accept Reject Manage cookies
Experience AI-powered browsing with the new Bing built-in Get comprehensive
answers and summarized information side-by-side in Microsoft Edge
No, thanks Try now
Skip to main content
Microsoft
Microsoft Security
Microsoft Security
Microsoft Security
* Home
* Solutions
* Cloud security
* Cloud workload protection
* Frontline workers
* Identity & access
* Identity threat detection & response
* Industrial & critical infrastructure
* Information protection & governance
* IoT security
* Passwordless authentication
* Phishing
* Ransomware
* Risk management
* Secure remote work
* SIEM & XDR
* Small & medium business
* XDR
* Zero Trust
* Products
* Product families Product families
* Microsoft Defender
* Microsoft Entra
* Microsoft Intune
* Microsoft Priva
* Microsoft Purview
* Microsoft Sentinel
* Security AI Security AI
* Microsoft Security Copilot
* Identity & access Identity & access
* Azure Active Directory part of Microsoft Entra
* Microsoft Entra External ID
* Microsoft Entra Identity Governance
* Microsoft Entra Permissions Management
* Microsoft Entra Verified ID
* Microsoft Entra Workload Identities
* Azure Key Vault
* SIEM & XDR SIEM & XDR
* Microsoft Sentinel
* Microsoft Defender for Cloud
* Microsoft 365 Defender
* Microsoft Defender for Endpoint
* Microsoft Defender for Office 365
* Microsoft Defender for Identity
* Microsoft Defender for Cloud Apps
* Microsoft Defender Vulnerability Management
* Microsoft Defender Threat Intelligence
* Cloud security Cloud security
* Microsoft Defender for Cloud
* Microsoft Defender Cloud Security Posture Mgmt
* Microsoft Defender for DevOps
* Microsoft Defender External Attack Surface Management
* Azure Firewall
* Azure Web App Firewall
* Azure DDoS Protection
* GitHub Advanced Security
* Endpoint security & management Endpoint security & management
* Microsoft Defender for Endpoint
* Microsoft 365 Defender
* Microsoft Intune core capabilities
* Microsoft Intune Endpoint Privilege Management
* Microsoft Intune Remote Help
* Microsoft Defender for IoT
* Microsoft Defender for Business
* Microsoft Defender Vulnerability Management
* Risk management & privacy Risk management & privacy
* Microsoft Purview Insider Risk Management
* Microsoft Purview Communication Compliance
* Microsoft Purview eDiscovery
* Microsoft Purview Compliance Manager
* Microsoft Purview Audit
* Microsoft Priva Risk Management
* Microsoft Priva Subject Rights Requests
* Information protection Information protection
* Microsoft Purview Information Protection
* Microsoft Purview Data Lifecycle Management
* Microsoft Purview Data Loss Prevention
* Services
* Microsoft Security Experts
* Microsoft Defender Experts for Hunting
* Microsoft Security Services for Enterprise
* Microsoft Incident Response
* Microsoft Security Services for Modernization
* Partners
* Resources
* Get started Get started
* Cybersecurity awareness
* Customer stories
* Security 101
* Product trials
* How we protect Microsoft
* Reports and analysis Reports and analysis
* Industry recognition
* Microsoft Security Insider
* Microsoft Digital Defense Report
* Security Response Center
* Community Community
* Microsoft Security Blog
* Microsoft Security Events
* Microsoft Tech Community
* Documentation and training Documentation and training
* Documentation
* Technical Content Library
* Training & certifications
* Cyberattack support Cyberattack support
* Under attack?
* Additional sites Additional sites
* Compliance Program for Microsoft Cloud
* Microsoft Trust Center
* Security Engineering Portal
* Service Trust Portal
* Microsoft built in security
* Contact Sales
* More
* Start free trial
* All Microsoft
* GLOBAL
* Microsoft Security
* Azure
* Dynamics 365
* Microsoft 365
* Microsoft Teams
* Windows 365
* Tech & innovation Tech & innovation
* Microsoft Cloud
* AI
* Azure Space
* Mixed reality
* Microsoft HoloLens
* Microsoft Viva
* Quantum computing
* Sustainability
* Industries Industries
* Education
* Automotive
* Financial services
* Government
* Healthcare
* Manufacturing
* Retail
* All industries
* Partners Partners
* Find a partner
* Become a partner
* Partner Network
* Find an advertising partner
* Become an advertising partner
* Azure Marketplace
* AppSource
* Resources Resources
* Blog
* Microsoft Advertising
* Developer Center
* Documentation
* Events
* Licensing
* Microsoft Learn
* Microsoft Research
* View Sitemap
Search Search Microsoft Security
* No results
Cancel
1. Blog home
2. Threat intelligence
Search the Microsoft security blog
Submit
* Research
* Threat intelligence
* Ransomware
13 min read
NORTH KOREAN THREAT ACTOR TARGETS SMALL AND MIDSIZE BUSINESSES WITH H0LYGH0ST
RANSOMWARE
* By Microsoft Digital Security Unit (DSU)
* By Microsoft Threat Intelligence
July 14, 2022
*
*
*
* Ransomware
* Threat actors
> April 2023 update – Microsoft Threat Intelligence has shifted to a new threat
> actor naming taxonomy aligned around the theme of weather. DEV-0530 is now
> tracked as Storm-0530 and PLUTONIUM is now tracked as Onyx Sleet.
>
> To learn about how the new taxonomy represents the origin, unique traits, and
> impact of threat actors, and to get a complete mapping of threat actor names,
> read this blog: Microsoft shifts to a new threat actor naming taxonomy.
A group of actors originating from North Korea that Microsoft Threat
Intelligence Center (MSTIC) tracks as DEV-0530 has been developing and using
ransomware in attacks since June 2021. This group, which calls itself H0lyGh0st,
utilizes a ransomware payload with the same name for its campaigns and has
successfully compromised small businesses in multiple countries as early as
September 2021.
Along with their H0lyGh0st payload, DEV-0530 maintains an .onion site that the
group uses to interact with their victims. The group’s standard methodology is
to encrypt all files on the target device and use the file extension .h0lyenc,
send the victim a sample of the files as proof, and then demand payment in
Bitcoin in exchange for restoring access to the files. As part of their
extortion tactics, they also threaten to publish victim data on social media or
send the data to the victims’ customers if they refuse to pay. This blog is
intended to capture part of MSTIC’s analysis of DEV-0530 tactics, present the
protections Microsoft has implemented in our security products, and share
insights on DEV-0530 and H0lyGh0st ransomware with the broader security
community to protect mutual customers.
MSTIC assesses that DEV-0530 has connections with another North Korean-based
group tracked as PLUTONIUM (aka DarkSeoul or Andariel). While the use of
H0lyGh0st ransomware in campaigns is unique to DEV-0530, MSTIC has observed
communications between the two groups, as well as DEV-0530 using tools created
exclusively by PLUTONIUM.
As with any observed nation-state actor activity, Microsoft directly notifies
customers that have been targeted or compromised, providing them with the
information they need to secure their accounts. Microsoft uses DEV-####
designations as a temporary name given to an unknown, emerging, or a developing
cluster of threat activity, allowing MSTIC to track it as a unique set of
information until we reach high confidence about the origin or identity of the
actor behind the activity.
WHO IS DEV-0530?
DEV-0530 primarily operates ransomware campaigns to pursue financial objectives.
In MSTIC’s investigations of their early campaigns, analysts observed that the
group’s ransom note included a link to the .onion site
hxxp://matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd[.]onion, where
the attackers claim to “close the gap between the rich and poor”. They also
attempt to legitimize their actions by claiming to increase the victim’s
security awareness by letting the victims know more about their security
posture.
Figure 1. A H0lyGh0st ransom note linked to the attackers’ .onion site. Figure
2. DEV-0530 attackers publishing their claims on their website.
Like many other ransomware actors, DEV-0530 notes on their website’s privacy
policy that they would not sell or publish their victim’s data if they get paid.
But if the victim fails to pay, they would publish everything. A contact form is
also available for victims to get in touch with the attackers.
Figure 3. Privacy policy and contact us information on the H0lyGh0st website.
AFFILIATIONS WITH OTHER THREAT ACTORS ORIGINATING FROM NORTH KOREA
MSTIC assesses there is likely some overlap between DEV-0530 and PLUTONIUM.
PLUTONIUM is a North Korean threat actor group affiliated with clusters of
activity that are also known as DarkSeoul and Andariel. Active since at least
2014, PLUTONIUM has primarily targeted the energy and defense industries in
India, South Korea, and the United States using a variety of tactics and
techniques.
MSTIC has observed known DEV-0530 email accounts communicating with known
PLUTONIUM attacker accounts. MSTIC has also observed both groups operating from
the same infrastructure set, and even using custom malware controllers with
similar names.
To further assess the origin of DEV-0530 operations, MSTIC performed a temporal
analysis of observed activity from the group. MSTIC estimates that the pattern
of life of DEV-0530 activity is most consistent with the UTC+8 and UTC+9 time
zones. UTC+9 is the time zone used in North Korea.
Despite these similarities, differences in operational tempo, targeting, and
tradecraft suggest DEV-0530 and PLUTONIUM are distinct groups.
WHY ARE NORTH KOREAN ACTORS USING RANSOMWARE?
Based on geopolitical observations by global experts on North Korean affairs and
circumstantial observations, Microsoft analysts assess the use of ransomware by
North Korea-based actors is likely motivated by two possible objectives.
The first possibility is that the North Korean government sponsors this
activity. The weakened North Korean economy has become weaker since 2016 due to
sanctions, natural disasters, drought, and the North Korean government’s
COVID-19 lockdown from the outside world since early 2020. To offset the losses
from these economic setbacks, the North Korean government could have sponsored
cyber actors stealing from banks and cryptocurrency wallets for more than five
years. If the North Korean government is ordering these ransomware attacks, then
the attacks would be yet another tactic the government has enabled to offset
financial losses.
However, state-sponsored activity against cryptocurrency organizations has
typically targeted a much broader set of victims than observed in DEV-0530
victimology. Because of this, it is equally possible that the North Korean
government is not enabling or supporting these ransomware attacks. Individuals
with ties to PLUTONIUM infrastructure and tools could be moonlighting for
personal gain. This moonlighting theory might explain the often-random selection
of victims targeted by DEV-0530.
Although Microsoft cannot be certain of DEV-0530’s motivations, the impact of
these ransomware attacks on our customers raises the importance of exposing the
underlying tactics and techniques, detecting and preventing attacks in our
security products, and sharing our knowledge with the security ecosystem.
RANSOMWARE DEVELOPED BY DEV-0530
Between June 2021 and May 2022, MSTIC classified H0lyGh0st ransomware under two
new malware families: SiennaPurple and SiennaBlue. Both were developed and used
by DEV-0530 in campaigns. MSTIC identified four variants under these families –
BTLC_C.exe, HolyRS.exe, HolyLock.exe, and BLTC.exe – and clustered them based on
code similarity, C2 infrastructure including C2 URL patterns, and ransom note
text. BTLC_C.exe is written in C++ and is classified as SiennaPurple, while the
rest are written in Go, and all variants are compiled into .exe to target
Windows systems. Microsoft Defender Antivirus, which is built into and ships
with Windows 10 and 11, detects and blocks BTLC_C.exe as SiennaPurple and the
rest as SiennaBlue, providing protection for Windows users against all known
variants the H0lyGh0st malware..
Figure 4. Timeline of DEV-0530 ransomware payloads.
SIENNAPURPLE RANSOMWARE FAMILY: BTLC_C.EXE
BLTC_C.exe is a portable ransomware developed by DEV-0530 and was first seen in
June 2021. This ransomware doesn’t have many features compared to all malware
variants in the SiennaBlue family. Prominently, if not launched as an
administrative user, the BLTC_C.exe malware displays the following hardcoded
error before exiting:
"This program only execute under admin privilege".
The malware uses a simple obfuscation method for strings where 0x30 is
subtracted from the hex value of each character, such that the string
“aic^ef^bi^abc0” is decoded to 193[.]56[.]29[.]123. The indicators of compromise
(IOCs) decoded from the BLTC_C.exe ransomware are consistent with all malware
variants in the SiennaBlue family, including the C2 infrastructure and the HTTP
beacon URL structure access.php?order=AccessRequest&cmn. The BTLC_C.exe sample
analyzed by MSTIC has the following PDB path: M:\ForOP\attack(utils)\attack
tools\Backdoor\powershell\btlc_C\Release\btlc_C.pdb.
SIENNABLUE RANSOMWARE FAMILY: HOLYRS.EXE, HOLYLOCKER.EXE, AND BTLC.EXE
Between October 2021 and May 2022, MSTIC observed a cluster of new DEV-0530
ransomware variants written in Go. We classified these variants as SiennaBlue.
While new Go functions were added to the different variants over time, all the
ransomware in the SiennaBlue family share the same core Go functions.
A deeper look into the Go functions used in the SiennaBlue ransomware showed
that over time, the core functionality expanded to include features like various
encryption options, string obfuscation, public key management, and support for
the internet and intranet. The table below demonstrates this expansion by
comparing the Go functions in HolyRS.exe and BTLC.exe:
HolyRS.exe [2021]BTLC.exe [2022]main_main
main_init_0
main_IsAdmin
main_encryptFiles
HolyLocker_RsaAlgorithm_GenerateKeyPair
HolyLocker_RsaAlgorithm_Encrypt
HolyLocker_CryptoAlogrithm___ptr_File__EncryptRSA
HolyLocker_CryptoAlogrithm___ptr_File__EncryptAES
HolyLocker_utilities_GenerateRandomANString
HolyLocker_utilities_StringInSlice
HolyLocker_utilities_SliceContainsSubstring
HolyLocker_utilities_RenameFile
HolyLocker_Main_init
HolyLocker_communication_New
HolyLocker_communication___ptr_Client__GetPubkeyFromServer
HolyLocker_communication___ptr_Client__Do
HolyLocker_communication___ptr_Client__SendEncryptedPayload
HolyLocker_communication___ptr_Client__SendFinishRequest
HolyLocker_communication___ptr_Client__AddNewKeyPairToIntranet
HolyLocker_communication___ptr_Client__AddNewKeyPair
main_main
main_init_0
main_IsAdmin
main_encryptFiles
main_DeleteSchTask
main_DisableNetworkDevice main_encryptString
main_decryptString
main_cryptAVPass
main_SelfDelete
HolyLocker_RsaAlgorithm_GenerateKeyPair
HolyLocker_RsaAlgorithm_Encrypt
HolyLocker_CryptoAlogrithm___ptr_File__EncryptRSA
HolyLocker_CryptoAlogrithm___ptr_File__EncryptAES
HolyLocker_utilities_GenerateRandomANString
HolyLocker_utilities_StringInSlice
HolyLocker_utilities_SliceContainsSubstring
HolyLocker_utilities_RenameFile
HolyLocker_Main_init
HolyLocker_communication_New
HolyLocker_communication___ptr_Client__GetPubkeyFromServer
HolyLocker_communication___ptr_Client__Do
HolyLocker_communication___ptr_Client__SendEncryptedPayload
HolyLocker_communication___ptr_Client__SendFinishRequest
HolyLocker_communication___ptr_Client__AddNewKeyPairToIntranet
HolyLocker_communication___ptr_Client__AddNewKeyPair
MSTIC assesses DEV-0530 successfully compromised several targets in multiple
countries using HolyRS.exe in November 2021. A review of the victims showed they
were primarily small-to-midsized businesses, including manufacturing
organizations, banks, schools, and event and meeting planning companies. The
victimology indicates that these victims are most likely targets of opportunity.
MSTIC suspects that DEV-0530 might have exploited vulnerabilities such as
CVE-2022-26352 (DotCMS remote code execution vulnerability) on public-facing web
applications and content management systems to gain initial access into target
networks. The SiennaBlue malware variants were then dropped and executed. To
date, MSTIC has not observed DEV-0530 using any 0-day exploits in their attacks.
After successfully compromising a network, DEV-0530 exfiltrated a full copy of
the victims’ files. Next, the attackers encrypted the contents of the victim
device, replacing all file names with Base64-encoded versions of the file names
and renaming the extension to .h0lyenc. Victims found a ransom note in
C:\FOR_DECRYPT.html, as well as an email from the attackers with subject lines
such as:
!!!!We are < H0lyGh0st>. Please Read me!!!!
As seen in the screenshot below, the email from the attackers let the victim
know that the group has stolen and encrypted all their files. The email also
included a link to a sample of the stolen data to prove their claim, in addition
to the demand for payment for recovering the files.
Figure 5. Ransom note left by DEV-0530 attackers.
BTLC.exe is the latest DEV-0530 ransomware variant and has been seen in the wild
since April 2022. BTLC.exe can be configured to connect to a network share using
the default username, password, and intranet URL hardcoded in the malware if the
ServerBaseURL is not accessible from the device. One notable feature added to
BTLC.exe is a persistence mechanism in which the malware creates or deletes a
scheduled task called lockertask, such that the following command line syntax
can be used to launch the ransomware:
cmd.exe /Q /c schtasks /create /tn lockertask /tr [File] /sc minute /mo 1 /F /ru system 1> \\127.0.0.1\ADMIN$\__[randomnumber] 2>&1
Once the ransomware is successfully launched as an administrator, it tries to
connect to the default ServerBaseURL hardcoded in the malware, attempts to
upload a public key to the C2 server, and encrypts all files in the victim’s
drive.
HolyRS.exe/HolyLocker.exe C2 configurationBTLC.exe C2
configurationmain_ServerBaseURL: hxxp://193[.]56[.]29[.]123:8888
main_IntranetURL: 10[.]10[.]3[.]42
main_Username: adm-karsair EncryptionKey: H0lyGh0stKey1234
IntranetUrl: 192[.]168[.]168[.]5
Username: atrismsp Scheduledtask name: lockertask
Figure 6. BTLC.exe C2 communication
Based on our investigation, the attackers frequently asked victims for anywhere
from 1.2 to 5 Bitcoins. However, the attackers were usually willing to negotiate
and, in some cases, lowered the price to less than one-third of the initial
asking price. As of early July 2022, a review of the attackers’ wallet
transactions shows that they have not successfully extorted ransom payments from
their victims.
Figure 7. Screenshot of DEV-0530 attackers’ wallet
HolyRS.exe/BTLC.exe C2 URL pattern:
* hxxp://193[.]56[.]29[.]123:8888/access.php?order=GetPubkey&cmn=[Victim_HostName]
* hxxp://193[.]56[.]29[.]123:8888/access.php?order=golc_key_add&cmn=[Victim_HostName]&type=1
* hxxp://193[.]56[.]29[.]123:8888/access.php?order=golc_key_add&cmn=[Victim_HostName]&type=2
* hxxp://193[.]56[.]29[.]123:8888/access.php?order=golc_finish&cmn=[Victim_HostName]&
Examples of HolyRS.exe/BTLC.exe ransom note metadata:
Attacker email address: H0lyGh0st@mail2tor[.]com
Image location:
hxxps://cloud-ex42[.]usaupload[.]com/cache/plugins/filepreviewer/219002/f44c6929994386ac2ae18b93f8270ec9ff8420d528c9e35a878efaa2d38fb94c/1100x800_cropped.jpg
Report URL:
hxxp://matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd[.]onion
Microsoft will continue to monitor DEV-0530 activity and implement protections
for our customers. The current detections, advanced detections, and indicators
of compromise (IOCs) in place across our security products are detailed below.
RECOMMENDED CUSTOMER ACTIONS
Microsoft has implemented protections to detect these malware families as
SiennaPurple and SiennaBlue (e.g., Ransom:Win32/SiennaBlue.A) via Microsoft
Defender Antivirus and Microsoft Defender for Endpoint, wherever these are
deployed on-premises and in cloud environments.
Microsoft encourages all organizations to proactively implement and frequently
validate a data backup and restore plan as part of broader protection against
ransomware and extortion threats.
The techniques used by DEV-0530 in H0lyGh0st activity can be mitigated by
adopting the security considerations provided below:
* Use the included IOCs to investigate whether they exist in your environment
and assess for potential intrusion.
Our blog on the ransomware as a service economy has an exhaustive guide on how
to protect against ransomware threats. We encourage readers to refer to that
blog for a comprehensive guide that has a deep dive into each of the following
areas:
* Building credential hygiene
* Auditing credential exposure
* Prioritizing deployment of Active Directory updates
* Cloud hardening
* Implement the Azure Security Benchmark and general best practices for
securing identity infrastructure.
* Ensure cloud admins/tenant admins are treated with the same level of
security and credential hygiene as Domain Admins.
* Address gaps in authentication coverage.
* Enforcing MFA on all accounts, remove users excluded from MFA, and strictly
require MFA from all devices, in all locations, at all times.
* Enabling passwordless authentication methods (for example, Windows Hello,
FIDO keys, or Microsoft Authenticator) for accounts that support
passwordless. For accounts that still require passwords, use authenticator
apps like Microsoft Authenticator for MFA.
* Disabling legacy authentication.
For small or midsize companies who use Microsoft Defender for Business or
Microsoft 365 Business Premium, enabling each of the features below will provide
a protective layer against these threats where applicable. For Microsoft
365 Defender customers, the following checklist eliminates security blind spots:
* Turn on cloud-delivered protection in Microsoft Defender Antivirus to cover
rapidly evolving attacker tools and techniques, block new and unknown malware
variants, and enhance attack surface reduction rules and tamper protection.
* Turn on tamper protection features to prevent attackers from stopping
security services.
* Run EDR in block mode so that Microsoft Defender for Endpoint can block
malicious artifacts, even when a non-Microsoft antivirus doesn’t detect the
threat or when Microsoft Defender Antivirus is running in passive mode. EDR
in block mode also blocks indicators identified proactively by Microsoft
Threat Intelligence teams.
* Enable network protection to prevent applications or users from accessing
malicious domains and other malicious content on the internet.
* Enable investigation and remediation in full automated mode to allow
Microsoft Defender for Endpoint to take immediate action on alerts to resolve
breaches.
* Use device discovery to increase visibility into the network by finding
unmanaged devices and onboarding them to Microsoft Defender for Endpoint.
* Protect user identities and credentials using Microsoft Defender for
Identity, a cloud-based security solution that leverages on-premises Active
Directory signals to monitor and analyze user behavior to identify suspicious
user activities, configuration issues, and active attacks.
INDICATORS OF COMPROMISE
This list provides IOCs observed during our investigation. We encourage our
customers to investigate these indicators in their environments and implement
detections and protections to identify past related activity and prevent future
attacks against their systems.
IndicatorTypeDescription99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccdSHA-256Hash
of
BTLC_C.exef8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86SHA-256Hash
of
HolyRS.exebea866b327a2dc2aa104b7ad7307008919c06620771ec3715a059e675d9f40afSHA-256Hash
of BTLC.execmd.exe /Q /c schtasks /create /tn lockertask /tr [File] /sc minute
/mo 1 /F /ru system 1> \\127.0.0.1\ADMIN$\__[randomnumber] 2>&1 Command
lineExample of new ScheduledTask to BTLC.exe193[.]56[.]29[.]123C2C2 IP
addressH0lyGh0st@mail2tor[.]comEmailRansomware payment communication
addressC:\FOR_DECRYPT.htmlFile pathFile path of ransom note
NOTE: These indicators should not be considered exhaustive for this observed
activity.
MICROSOFT 365 DETECTIONS
MICROSOFT DEFENDER ANTIVIRUS
* Trojan:Win32/SiennaPurple.A
* Ransom:Win32/SiennaBlue.A
* Ransom:Win32/SiennaBlue.B
MICROSOFT DEFENDER FOR ENDPOINT
Microsoft Defender for Endpoint customers may see any or a combination of the
following alerts as an indication of possible attack.
* DEV-0530 activity group
* Ransomware behavior detected in the file system
* Possible ransomware infection modifying multiple files
* Possible ransomware activity
ADVANCED HUNTING QUERIES
MICROSOFT SENTINEL
To locate possible DEV-0530 activity mentioned in this blog post, Microsoft
Sentinel customers can use the queries detailed below:
Identify DEV-0530 IOCs
This query identifies a match based on IOCs related to DEV-0530 across various
Sentinel data feeds:
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0530_July2022.yaml
Identify renamed file extension
DEV-0530 actors are known to encrypt the contents of the victim’s device as well
as rename the file and extension. The following query detects the creation of
files with .h0lyenc extension:
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Dev-0530_FileExtRename.yaml
Identify Microsoft Defender Antivirus detection related to DEV-0530
This query looks for Microsoft Defender AV detections related to DEV-0530 and
joins the alert with other data sources to surface additional information such
as device, IP, signed-in on users, etc.
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityAlert/Dev-0530AVHits.yaml
YARA RULES
rule SiennaPurple
{
meta:
author = "Microsoft Threat Intelligence Center (MSTIC)"
description = "Detects PDB path, C2, and ransom note in DEV-0530 Ransomware SiennaPurple samples"
hash = "99fc54786a72f32fd44c7391c2171ca31e72ca52725c68e2dde94d04c286fccd"
strings:
$s1 = "ForOP\\attack(utils)\\attack tools\\Backdoor\\powershell\\btlc_C\\Release\\btlc_C.pdb"
$s2 = "matmq3z3hiovia3voe2tix2x54sghc3tszj74xgdy4tqtypoycszqzqd.onion"
$s3 = "H0lyGh0st@mail2tor.com"
$s4 = "We are <HolyGhost>. All your important files are stored and encrypted."
$s5 = "aic^ef^bi^abc0"
$s6 = "---------------------------3819074751749789153841466081"
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and
filesize < 7MB and filesize > 1MB and
all of ($s*)
}
rule SiennaBlue
{
meta:
author = "Microsoft Threat Intelligence Center (MSTIC)"
description = "Detects Golang package, function, and source file names observed in DEV-0530 Ransomware SiennaBlue samples"
hash1 = "f8fc2445a9814ca8cf48a979bff7f182d6538f4d1ff438cf259268e8b4b76f86"
hash2 = "541825cb652606c2ea12fd25a842a8b3456d025841c3a7f563655ef77bb67219"
strings:
$holylocker_s1 = "C:/Users/user/Downloads/development/src/HolyLocker/Main/HolyLock/locker.go"
$holylocker_s2 = "HolyLocker/Main.EncryptionExtension"
$holylocker_s3 = "HolyLocker/Main.ContactEmail"
$holylocker_s4 = "HolyLocker/communication.(*Client).GetPubkeyFromServer"
$holylocker_s5 = "HolyLocker/communication.(*Client).AddNewKeyPairToIntranet"
$holyrs_s1 = "C:/Users/user/Downloads/development/src/HolyGhostProject/MainFunc/HolyRS/HolyRS.go"
$holyrs_s2 = "HolyGhostProject/MainFunc.ContactEmail"
$holyrs_s3 = "HolyGhostProject/MainFunc.EncryptionExtension"
$holyrs_s4 = "HolyGhostProject/Network.(*Client).GetPubkeyFromServer"
$holyrs_s5 = "HolyGhostProject/Network.(*Client).AddNewKeyPairToIntranet"
$s1 = "Our site : <b><a href=%s>H0lyGh0stWebsite"
$s2 = ".h0lyenc"
$go_prefix = "Go build ID:"
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and
filesize < 7MB and filesize > 1MB and
$go_prefix and all of ($s*) and (all of ($holylocker_*) or all of ($holyrs_*))
}
GET STARTED WITH MICROSOFT SECURITY
Microsoft is a leader in cybersecurity, and we embrace our responsibility to
make the world a safer place.
Learn more
CONNECT WITH US ON SOCIAL
*
*
*
What's new
* Surface Pro 9
* Surface Laptop 5
* Surface Studio 2+
* Surface Laptop Go 2
* Surface Laptop Studio
* Surface Go 3
* Microsoft 365
* Windows 11 apps
Microsoft Store
* Account profile
* Download Center
* Microsoft Store support
* Returns
* Order tracking
* Trade-in for Cash
* Microsoft Store Promise
* Flexible Payments
Education
* Microsoft in education
* Devices for education
* Microsoft Teams for Education
* Microsoft 365 Education
* How to buy for your school
* Educator training and development
* Deals for students and parents
* Azure for students
Business
* Microsoft Cloud
* Microsoft Security
* Dynamics 365
* Microsoft 365
* Microsoft Power Platform
* Microsoft Teams
* Microsoft Industry
* Small Business
Developer & IT
* Azure
* Developer Center
* Documentation
* Microsoft Learn
* Microsoft Tech Community
* Azure Marketplace
* AppSource
* Visual Studio
Company
* Careers
* About Microsoft
* Company news
* Privacy at Microsoft
* Investors
* Diversity and inclusion
* Accessibility
* Sustainability
English (United States) California Consumer Privacy Act (CCPA) Opt-Out Icon Your
Privacy Choices California Consumer Privacy Act (CCPA) Opt-Out Icon Your Privacy
Choices
* Sitemap
* Contact Microsoft
* Privacy
* Manage cookies
* Terms of use
* Trademarks
* Safety & eco
* Recycling
* About our ads
* © Microsoft 2023
Notifications