EXECUTIVE SUMMARY:

Holy Ghost ransomware operators have styled themselves as a legitimate corporate entity that tries to assist victims in improving security. The group claims to increase a given victim’s security awareness by informing them about their security posture.

Recent Holy Ghost ransomware victims consist of small-to-midsize businesses, including banks, manufacturing organizations, event and meeting management firms, and educational institutions.

Holy Ghost ransomware

The Holy Ghost ransomware group has been active for at least 12 months. Its overall modus operandi looks similar to that of other ransomware gangs; double extortion, threats of leaked data, and requests for payment in bitcoin.

Researchers with the Microsoft Threat Intelligence Center (MSTIC) have tagged the group as DEV-0530. But most people simply refer to the group as the Holy Ghost ransomware operators.

Holy Ghost ransomware note

Below is a sample of a Holy Ghost ransomware operator note left for victims.

Holy Ghost Ransom Note

The Holy Ghost ransomware group is believed to exploit vulnerabilities such as CVE-2022-26352 (DotCMS remote code execution vulnerability) on public facing web applications and content management systems in order to gain a foothold in targeted networks.

Categorized as SiennaPurple (BTLC_C.exe), the initial Holy Ghost ransomware lacked sophisticated features. However, the subsequent Go-based versions that emerged in October of 2021 showed significant evolution. Newer functionalities include multiple encryption options, string obfuscation, public key management, and internet/intranet support.

Link to North Korea

One theory suggests that Holy Ghost ransomware may have emerged from North Korea. The group may or may not be controlled by the North Korean government. Hackers working for the Pyongyang regime may be executing this ransomware independently for financial gain.

How to avoid Holy Ghost ransomware

The following basics can assist you and your team in preventing Holy Ghost ransomware attacks. More information about these topics can be found across CyberTalk.org and within the corresponding links here.

  • Proactively implement and validate a data backup plan
  • Ditto for a restoration plan
  • Increase credential hygiene
  • Audit credential exposure
  • Focus on cloud hardening
  • Implement the Azure Security Benchmark
  • Adopt general best practices for securing identity infrastructure
  • Ensure cloud admins/tenant admins are treated with identical levels of security and credential hygiene as Domain Admins
  • ¬†Close gaps in authentication coverage
  • Apply and enforce Multi-Factor Authentication on all accounts
  • Strictly require MFA from all devices in all locations, 24/7
  • Enable passwordless authentication methods (ex. Windows Hello, FIDO keys, or Microsoft Authenticator) for accounts with passwordless support

In conclusion

“The victimology indicates that these victims are most likely targets of opportunity,” according to Microsoft’s Threat Intelligence Center. In other words, these attacks may have been largely avoidable.

A proactive approach to cyber security preparedness can go a long way. Where is your organization on its preparedness journey? Implement the concepts outlined above, and be sure to explore additional endpoint protection options. See CyberTalk.org’s Endpoint Security Buyer’s Guide for further information.

Discover expert ransomware insights here and get a ransomware prevention checklist right here.  Lastly, to receive cutting-edge cyber security news, exclusive expert interviews, in-depth analyses and premium cyber security resources, please sign up for the CyberTalk.org newsletter.