holyghost
1 incidentes
1 paises
1 sectores
ransomware KR Ultimo: 2026-06-25
Aliases: H0lyGh0st, Storm-0530, DEV-0530
HolyGhost, also known as H0lyGh0st and tracked by Microsoft as DEV-0530 (later Storm-0530), is a North Korean ransomware group that first emerged in June 2021, evolving its malware from C++-based SiennaPurple variants to Go-based SiennaBlue variants by late 2021. The group is assessed with high confidence to be of North Korean origin, with suspected ties to state-backed groups like PLUTONIUM (also known as DarkSeoul or Andariel). HolyGhost's primary motivation is financial gain through extortion, often targeting small-to-midsize businesses globally, a strategy that distinguishes them from groups focusing solely on large enterprises. They are notable for their double extortion tactics, a willingness to negotiate ransom demands to significantly lower amounts, and their unusual practice of presenting themselves as ethical hackers offering security advice to victims, despite their mercenary intentions. The group has operated under several names, including its ransomware variants SiennaPurp
RansomLook pivots
Data, inteligencia y referencias externas para contrastar actividad ransomware del actor.
Paises afectados
North Korea (1)Paises objetivo (SOCRadar)
India
JapanKorea, Democratic People's Republic ofKorea, Republic of
United StatesSectores atacados
Education (1)
Sectores objetivo (SOCRadar)
Food ManufacturingMonetary Authorities-Central BankEnterprises & HoldingAccommodationManufacturingPublic AdministrationEducational ServicesSpace & DefenseEnergy & Utilities Accommodation&Food Services