Top | |
Newsletter 7/19/2022 |
Back to Contents A Printable PDF of this post is available here. |
Feds Exorcize the H0lyGh0st
Source: https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/
Less than two weeks after publishing news on the Maui strain of
ransomware that North Korea had unleashed on US based healthcare
entities,
the FBI shutdown these cyber crooks, and actually recovered over
500 thousand dollars in ransom money.
"The seized funds include
ransoms paid by health care providers in Kansas and Colorado,"
according to Justice.
This joint CSA provides information—including tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs)—on Maui ransomware obtained from FBI incident response activities and industry analysis of a Maui sample. The FBI, CISA, and Treasury urge HPH Sector organizations as well as other critical infrastructure organizations to apply the recommendations in the Mitigations section of this CSA to reduce the likelihood of compromise from ransomware operations. Victims of Maui ransomware should report the incident to their local FBI field office or CISA. The secret sauce that made this arrest of culprits and recovery of ill gotten gains was the "rapid reporting and cooperation from a victim," according to the Department of Justice Press Release of July 19, 2022. Indeed, Microsoft was on top of this cyberattack from its beginnings. If you would like a deep dive into the history of and techniques employed by DEV-053, then try the full write up by MS of July 14, 2022. And, as it is wont to do, Microsoft's recommended mitigation procedures are extensive and go far beyond tots, pears, and change your password. A group of actors originating from North Korea that Microsoft Threat Intelligence Center (MSTIC) tracks as DEV-0530 has been developing and using ransomware in attacks since June 2021. This group, which calls itself H0lyGh0st, utilizes a ransomware payload with the same name for its campaigns and has successfully compromised small businesses in multiple countries as early as September 2021.
As Assistant Attorney General Matthew G. Olsen of the Justice
Department’s National Security Division said in the press release, “Reporting
cyber incidents to law enforcement and cooperating with investigations
not only protects the United States, it is also good business.”
Olsen went on to declare that
“The reimbursement to these victims of the ransom shows
why it pays to work with law enforcement.”
After more than a week of being unable to access encrypted
servers, the Kansas hospital paid approximately $100,000 in Bitcoin to
regain the use of their computers and equipment. Because the Kansas
medical center notified the FBI and cooperated with law enforcement, the
FBI was able to identify the never-before-seen North Korean ransomware
and trace the cryptocurrency to China-based money launderers.
Kudos to the Kansas hospital not yet named for recognizing the critical
nature of the problem, and not shrinking from their duty, first as a
sworn adherent to the Hippocratic oath that says first do no more
harm. The hospital did the responsible thing and accepted the hard reality of the
situation. Just sayin'
“... once evil is invited in, tremendous effort is required to show it to the door and kick its cloven hoof off the threshold.” — E.A. Bucchianeri, Vocation of a Gadfly |
Back to Top Gerald Reiff |
Back to Top | ← previous post | next post → |