DPRK cyber actors

DPRK cyber actors are described in a joint #StopRansomware advisory as Democratic People’s Republic of Korea state-sponsored ransomware operators. The content states they have conducted ongoing ransomware activity targeting Healthcare and Public Health sector organizations, including U.S. and South Korean healthcare entities, as well as other critical infrastructure. The advisory also notes DPRK cyber operations targeting the United States and South Korea governments, including Department of Defense Information Networks and Defense Industrial Base member networks. According to the content, these actors use ransomware operations to generate revenue, with some proceeds assessed to support DPRK national-level priorities and objectives. Reported ransomware associated with these actors includes Maui and H0lyGh0st. The content also states they have been observed using or possessing publicly available encryption tools including BitLocker, Deadbolt, ech0raix, GonnaCry, Hidden Tear, Jigsaw, LockBit 2.0, My Little Ransomware, NxRansomware, Ryuk, and YourRansom, and that they have at times portrayed themselves as other ransomware groups, including REvil. The described tradecraft includes acquiring infrastructure by generating domains, personas, and accounts; procuring infrastructure, IP addresses, and domains using cryptocurrency generated through illicit cybercrime such as ransomware and cryptocurrency theft; and obfuscating attribution through third-country identities, foreign intermediaries, VPNs, VPSs, and third-country IP addresses. For initial access, the content states they exploit known vulnerabilities including CVE-2021-44228 (Log4Shell), CVE-2021-20038 (SonicWall SMA100), and CVE-2022-24990 (TerraMaster TOS). They are also described as distributing Trojanized files for the X-Popup messenger used by small and medium hospitals in South Korea, including via the domains xpopup.pe[.]kr and xpopup[.]com. Post-compromise, the actors are described as using staged payloads and customized malware to conduct reconnaissance, transfer files, execute shell commands, collect victim information, and send that information to actor-controlled remote hosts. They then deploy ransomware, set ransom demands in bitcoin, and communicate with victims via Proton Mail accounts. Known aliases and subgroup names directly mentioned in the content: Maui and H0lyGh0st.