Threat Intelligence: TraderTraitor, Maui Ransomware and the MSTIC H0lyGh0st

In the news recently,  more hijinks from our infamous foes, North Korean state-sponsored attackers; The evolving gang of thugs who brought us disruptive malware like the 'WannaCry' ransomware, colorful variants like 'SLICKSHOES,' 'CROWDEDFLOUNDER,' 'ARTFULPIE' 'BUFFETLINE,' ATM cash-out malware 'FASTCash,' 'DeltaCharlie' the DDoS botnet manager and the 'Kimsuky' APT group (as in Kim sucky out your sensitive data), used to gather intelligence on foreign policy and national security issues. 

According to CISA, the North Korean government employs malicious cyber-activity to conduct attacks and generate revenue. Specifically, their assessment states, "North Korea has conducted cyber theft against financial institutions worldwide, stealing hundreds of millions of dollars, to fund government priorities." The cybersecurity industry commonly tracks the groups behind these attacks as Lazarus Group, APT38, BlueNoroff, and Stardust Chollima. 

TraderTraitor: APT Targets Blockchain Companies 

According to the FBI, North Korean cyber actors have been observed targeting organizations in the blockchain technology and cryptocurrency industry. The attacks involve social engineering to entice people to download trojanized cryptocurrency applications. The cyber-actors then gain access to the victim's computer, propagate malware across the victim's network, steal private keys and exploit other security gaps. This enables follow-on activities that initiate fraudulent blockchain transactions. 

As of April 2022, North Korea's Lazarus Group has targeted the blockchain and cryptocurrency industry using spearphishing campaigns and malware to steal cryptocurrency. These actors will likely continue attempted exploits of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime. 

Intrusions begin with many spearphishing messages sent to employees—often in system administration or software development/IT operations (DevOps). The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications, which the U.S. government refers to as "TraderTraitor." 

Maui Ransomware: Targets Healthcare Organizations 

Since May 2021, the FBI has observed and responded to multiple Maui ransomware incidents at Healthcare organizations. North Korean state-sponsored cyber actors used Maui ransomware to encrypt servers responsible for electronic health records. In some cases, these incidents disrupted the services provided by the targeted organizations for prolonged periods. The initial access vector(s) for these incidents is unknown. 

According to the FBI, North Korean state-sponsored cyber actors likely assume healthcare organizations are willing to pay ransoms because these organizations provide services critical to human life and health. Because of this assumption, the FBI, CISA, and Treasury assess North Korean state-sponsored actors are likely to continue targeting Healthcare organizations. 

H0lyGh0st Ransomware: Targets Small and Midsize Businesses 

According to the Microsoft Threat Intelligence Center (MSTIC),  a group of actors originating from North Korea known as DEV-0530 has been developing and using ransomware in attacks since June 2021. This group uses H0lyGh0st ransomware to successfully compromise small businesses in multiple countries as early as September 2021. 

DEV-0530 maintains an .onion site that the group uses to interact with their victims. The group's standard methodology is to encrypt all files on the target device and use the file extension .h0lyenc, send the victim a sample of the files as proof, and then demand payment in Bitcoin in exchange for restoring access to the files. As part of their extortion tactics, they also threaten to publish victim data on social media or send the data to the victims' customers if they refuse to pay. 

MSTIC assesses that DEV-0530 connects with another North Korean-based group, PLUTONIUM (aka DarkSeoul or Andariel). While the use of H0lyGh0st ransomware in campaigns is unique to DEV-0530, MSTIC has observed communications between the two groups and DEV-0530 using tools created exclusively by PLUTONIUM. 

Recommended Mitigations 

North Korean state-sponsored cyber actors use a full array of tactics and techniques to exploit networks of interest, acquire sensitive cryptocurrency-intellectual property and gain 
financial assets. On the FBI website(, the U.S. government includes lists of recommended mitigations to protect organizations like defense-in-depth, patch management, staff security training, encryption, backups, MFA, network monitoring and incident response.  

The fact is it's not practical to approach security from a checklist perspective. We believe in a holistic, three-pronged methodology for cybersecurity, privacy and compliance: 

  1. Formal risk assessment 
  2. Standards framework-based policies and procedures (e.g., NIST CSF) 
  3. Comprehensive adversarial penetration testing 

Unless you are already a cybersecurity expert, the challenge can seem overwhelming. Contact us today to connect with a subject matter expert and discuss how we might help you improve your cybersecurity posture by implementing, testing, auditing, and operating your information security and privacy program.  

About Truvantis 

Truvantis is a cybersecurity, privacy and compliance consulting organization. We specialize in helping our clients by implementing, operating, auditing, and testing information security programs that work – balancing a budget with organizational risk appetite. 

Related Articles By Topic

Threat Intelligence

Contact Us
Contact Truvantis for a Privacy Risk-Management Consultation
Schedule a call
Contact Us