In brief SMBs, beware: Microsoft said this week it has discovered a North Korean crew targeting small businesses with ransomware since September of last year.

The group, which calls itself H0lyGh0st, appears to be primarily motivated by money, Microsoft Threat Intelligence Center (MSTIC) researchers said. After the gang gets its eponymous malware onto a victim’s network, it follows the standard ransomware playbook: encrypt files, and demand a Bitcoin payment to restore the data.

According to MSTIC, H0lyGh0st’s targets “were primarily small-to-midsized businesses, including manufacturing organizations, banks, schools and event and meeting planning companies.” Microsoft believes most were likely victims of opportunity.

H0lyGh0st claims to be acting “to close the gap between the rich and the poor,” as well as claiming to help victims increase their security awareness (for a fee, of course). Microsoft said it can’t be sure of H0lyGh0st’s intentions, and that it’s equally plausible the group is or isn’t affiliated with the North Korean government.

What is clear from Microsoft’s report is that the group is located in North Korea, and that it’s at least in communication with another North Korean cybergang known variously as Andariel, DarkSeoul and PLUTONIUM. That crew is believed to be responsible for prior attacks against the South Korean Ministry of Defense, Sony, and SWIFT banks, as well as being the possible developers of the WannaCry ransomware. 

While the two have communicated, operate from the same infrastructure set and use custom-made malware with similar names, the MSTICs say their differences “in operational tempo, targeting and tradecraft suggest [H0lyGh0st] and PLUTONIUM are distinct groups.”

MSTIC researchers said Microsoft Defender (antivirus and endpoint) are able to detect H0lyGh0st infections. The team also recommends…