top of page

North Korea's Newest APT Prodigy: HolyGhost "Cost Affordable" Ransomware

North Korea is always a hot topic because of the population’s baffling devotion to “supreme leader/God” Kim Jong-un (a.k.a the world’s most spoiled 3-year-old). When the supreme leader is not throwing tantrums about the United States or stealing food from the hands of his starving people, he is busy sponsoring one of the main sources of revenue fueling his pampered lifestyle: cyber crime.

One of the greatest errors that the Western world chooses to make about Kim Jong-un is his intelligence. This is not referring to the claims of his brainwashed and blinded-adoring people, who on a regular basis hail their dear leader as a “genius” and capable of the most extraordinary feats due to his “magic-like” ability (he can supposedly change the weather by batting his eyelashes at Dennis Rodman).

Just because Kim Jong-un acts like a 3-year-old certainly does not make him one. If he survived this long to become leader of the Kim dynasty, he at least has some ruthless brains. As evidence to this fact, Kim Jong-un and his regime's newest cyber threat actor, H0ly Gh0st, are definitely on to something with their “cost-affordable” ransomware campaign.


(A theoretical advertisement)

*Brought to you by the North Korea Ministry of Defense*

Greetings, United States, United Kingdom, EU, Australia, Japan, etc. (other customers apply)! Are you tired of always having to pay hefty fines after getting tricked again by that pesky North Korean ransomware? Not to worry! Presenting “cost-affordable” ransomware; brought to you by H0ly Gh0st, Advanced Persistent Threat services.

With our affordable care plan, you can pay less to get your data back (after we stole it) with no heavy impact to your finances (*reputation and public relations coverage not included). Here’s how it works:

Step 1: Surrender, infidel, to us exploiting your CVE-2022-26352 vulnerability. We will laugh as we move laterally across your network, discovering all endpoints, and deploying our ransomware via remote code execution (RCE).

Step 2: We steal all of your important stuff and refuse to give it back.

Step 3: You pay us a relatively smaller fee to unlock your data.

Step 4: We take the money and may or may not return your data, depending on if you really deserve it (no backsies with the money though).

Sign up today and get a free missile shelling test when you start!

Xoxo- King Jong-un


Meet H0ly Gh0st; the new cyber “it-gang” on the block. North Korean APTs (Advanced Persistent Threats) are nothing new, but the thing that makes H0ly Gh0st unique is their economic strategy for targeting victims. According to Damien Black’s article on the group, “North Korean ransom gang undercuts competitors by charging low fees”, “H0lyGh0st appears to be going after small-to-medium enterprises, encrypting and threatening to disseminate their vital data if they don’t pay up. In this respect, it is operating much like any other ransomware outfit – but one key difference is that its asking price is much lower than average.”

After their first payload popped up in the month of June, researchers at the Microsoft Threat Intelligence Center (MSTIC) tracked H0ly Gh0st ransomware DEV-0530 to North Korean operations. Whether or not this group is working for private gain or for Kim Jong-un’s cronies is up for debate, but it is highly likely that they share strong ties to the North Korean government and probably cooperate with the state’s agenda (along with the Lazarus Group). Ionut Ilascu's article on ("Microsoft links Holy Ghost ransomware operation to North Korean hackers") cites H0ly Gh0st posing as “security do-gooders”, where the threat actors claim their malicious methods are for the purpose of “closing the gap between the rich and poor” and for increasing the “security-awareness” of their victims. (See image of their website manifesto below. Image courtesy of Ionut Ilascu,, "Microsoft links Holy Ghost ransomware operation to North Korean hackers" ).

Yeah right. There is definitely a market for ransomware, which has grown from targeting individuals to now compromising big corporations and government institutions. So far, H0ly Gh0st ransomware has plagued banks, schools, the manufacturing industry, (etc.). However, instead of requesting heftier payouts, H0ly Gh0st threat actors demand between 1.2 to 5 bitcoins (about the equivalent of $100,000). This is much less than the usual asking price of ransomware groups, but even more intriguing is the fact that H0ly Gh0st often ends up negotiating with their victims, sometimes receiving only one third of their originally requested amount!

Why is this smart? Obviously, people will be more willing to pay for the decryption key if the price strikes as a "good deal", and H0ly Gh0st is certainly seeing the results of this "brilliant" economic move. However, no matter what the price, victims should never give in to ransomware. Despite H0ly Gh0st's very nice promises that they will not delete your data or leak it to the dark web after you pay, there is no guarantee that those things will still not happen anyways. Instead of worrying about negotiating with cybercriminals, organizations should focus on fighting against them.


Here are some of the essential procedures to implement in order to fight against ransomware and, specifically, H0ly Gh0st's nefarious actions:

Image courtesy of

  • Regularly perform data backups

  • Use Multi-Factor Authentication anywhere and everywhere

  • Practice cloud hardening

  • Avoid clicking on unsafe links or opening suspicious email attachments

  • Employ a VPN of public wi-fi networks

  • Perform regular updates of software


Protecting against ransomware hasn’t gotten any easier due to an increase in attacks, especially from aggressive nation-state adversaries which may be the source of H0ly Gh0st’s activity. However, the real challenge that organizations are realizing is how to resist paying smaller ransoms to get their data back. There is no reason why it is better to give in to cybercriminals rather than fight against them, other than it being the "easier" option. However, if organizations can commit to the idea of fighting ransomware before it strikes, they will have a greater chance of defeating their adversaries.

bottom of page