Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Microsoft Links Holy Ghost Ransomware Operation to North Korean Hackers

Microsoft Links Holy Ghost Ransomware Operation to North Korean Hackers

For more than a year, North Korean hackers have been running a ransomware operation called HolyGhost, attacking small businesses in various countries.

The group has been active for quite a while but it failed to gain the notoriety and financial success of other gangs even if the operation followed the same recipe: double extortion combined with a leak site to publish the name of the victims and stolen data.

Opportunistic attacks, small demands

Researchers at Microsoft Threat Intelligence Center (MSTIC) are tracking the Holy Ghost ransomware gang as DEV-0530. In a report earlier today, they say that the first payload from this threat actor was seen last year in June.

Classified as SiennaPurple (BTLC_C.exe), the early Holy Ghost ransomware variant did not come with many features compared to the subsequent Go-based versions that emerged in October 2021.

Microsoft tracks the newer variants as SiennaBlue (HolyRS.exe, HolyLocker.exe, and BTLC.exe) and notes that their functionality expanded over time to include multiple encryption options, string obfuscation, public key management, and internet/intranet support.

Also Read: PDPA compliance for the healthcare sector

Timeline for Holy Ghost ransomware payloads
Holy Ghost ransomware payloads

The researchers say that DEV-0530 managed to compromise several targets, mainly small-to-midsize businesses. Among victims were banks, schools, manufacturing organizations, and event and meeting planning companies.

“The victimology indicates that these victims are most likely targets of opportunity. MSTIC suspects that DEV-0530 might have exploited vulnerabilities such as CVE-2022-26352 (DotCMS remote code execution vulnerability) on public-facing web applications and content management systems to gain initial access into target networks” – Microsoft Threat Intelligence Center

Holy Ghost actors followed the pattern of a typical ransomware attack and stole data before deploying the encryption routine on infected systems.

The attacker left a ransom note on the compromised machine and they also emailed the victim with a link to a sample of stolen data to announce that they were willing to negotiate a ransom in exchange for the decryption key.

Holy Ghost ransom note
Holy Ghost ransom note

Usually, the actors demanded a small payout between 1.2 to 5 bitcoins, or up to about $100,000 at the current exchange rate.

Even if the demands were not large, the attacker was willing to negotiate and sometimes lowered the price to less than a third of the initial demand, MSTIC says.

Also Read: The difference between data privacy and data protection

Link to North Korea

This detail, the infrequent rate of attacks, and the random selection of victims add to the theory that the Holy Ghost ransomware operation may not be controlled by the North Korean government.

Instead, hackers working for the Pyongyang regime may be doing this on their own, for personal financial gain.

The connection with state-backed hacker groups is present, though, as MSTIC found communication between email accounts belonging to Holy Ghost and the Andariel, a threat actor part of the Lazarus Group under North Korea’s Reconnaissance General Bureau.

The link between the two groups is made stronger by the fact that both were “operating from the same infrastructure set, and even using custom malware controllers with similar names,” the researchers say.

Posing as do-gooders

Holy Ghost’s website is down at the moment but the attacker used the little visibility it had to pose as a legitimate entity trying to help victims improve their security posture.

Furthermore, they motivate their actions as an effort to “close the gap between the rich and poor” and to “help the poor and starving people.”

Holy Ghost ransomware op manifesto
Holy Ghost ransomware manifesto

Like other actors in the ransomware business, Holy Ghost assures victims that they would not sell or leak the stolen data if they get paid.

Microsoft’s report includes a set of recommended actions to prevent infections with Holy Ghost payloads as well as some indicators of compromise discovered while investigating the malware.

Holy Ghost is the second ransomware operation connected to North Korea.

Last week, a joint advisory from the FBI, CISA, and the U.S. Treasury Department warned about Maui ransomware targeting healthcare organizations with the support of North Korean government.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us