North Korean hackers have been running a ransomware operation for more than a year. The ransomware operation is named Holy Ghost and targets small businesses in different countries.

The Holy Ghost ransomware

Researchers at MSTIC are tracking the Holy Ghost ransomware group as DEV-0530. In a recent report, they claimed that the first payload from this group was spotted last year in June.
  • The early Holy Ghost ransomware variant, detected as SiennaPurple (BTLC_C[.]exe), did not have many features in comparison to other Go-based versions that emerged in October 2021.
  • The latest variants are tracked as SiennaBlue and include HolyLocker[.]exe, BTLC[.]exe, and HolyRS[.]exe payloads.
  • Both the variants were created and used by DEV-0530 in its campaigns. However, the functionality of these different variants did expand over time to add multiple encryption options, public key management, internet/intranet support, and string obfuscation.

The victims

DEV-0530 successfully targeted multiple targets, including schools, banks, manufacturing organizations, and event and meeting planning entities. Mostly, the attackers would demand 1.2 - 5 BTC from the victims.

North Korean connection

According to researchers, the infrequent rate of attacks and the random selection of victims supports the theory that the Holy Ghost ransomware operation is operated by North Korea.
  • MSTIC revealed email communications between Holy Ghost and a threat actor, part of the Lazarus Group (Andariel) working under North Korea's Reconnaissance General Bureau.
  • Additionally, it has been observed that both of the groups were operating from the same infrastructure set. Further, they used custom malware controllers with similar names, making the said connection stronger.


Holy Ghost has remained active for more than a year, yet did not raise any red flags. This highlights the efforts attackers make to keep their operations stealthy. For organizations to stay protected, experts recommend collaborative action, including sharing the indicators of compromise while looking into the malware.
Cyware Publisher