H0lyGh0st Ransomware
The H0lyGh0st Ransomware is a worrisome threat that is being used in attacks against SMEs (Small and Medium-Sized Enterprises). The operators of the threat are believed to be a North Korean hacker group whose activities are tracked as DEV-0530 by the cybersecurity researchers at the Microsoft Threat Intelligence Center (MSTIC). According to their findings, the hacker outfit has been active since at least June 2021 and has managed to infect businesses from multiple countries.
The H0lyGh0st (aka HolyGhost) threat is designed to encrypt the data found on the breached devices and render it completely unusable. Each locked file will be marked via the addition of '.h0lyenc' to its original name as a new extension. The threat will then create an HTML file named 'FOR_DECRYPT.html' on the infected system. Opening the file will display a ransom note with instructions for the victims.
The message left by H0lyGh0st Ransomware instructs the affected targets on how to contact the hackers mainly. It mentions an email address at 'H0lyGh0st@mail2tor.com,' but the main communication channel appears to be a dedicated website hosted on the TOR network. Typically, the operators of the threat accept payments made in Bitcoin only and run a double-extortion scheme. This means that besides locking the data of their victims, the cybercriminals also collect sensitive data that they will threaten to release to the public if their demands are not met.
The full text of H0lyGh0st Ransomware's note is:
'H0lyGh0st
Please Read this text to decrypt all files encrypted.
Don't worry, you can return all of your files.
If you want to restore all of your files, Send mail to H0lyGh0st@mail2tor.com with your Id. Your ID is
Or install tor browser and contact us with your id or company name(If all of pcs in your company are encrypted).Our site : H0lyGh0stWebsite
Our Service
After you pay, We will send unlocker with decryption key
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increase price.
Antivirus may block our unlocker, So disable antivirus first and execute unlocker with decryption key.'
