H0lyGh0st Ransomware Linked to North Korea
Microsoft Threat Intelligence reported tracking down a threat actor linked with a new strain of ransomware called the H0lyGh0st ransomware. According to Microsoft's researchers, the threat actor is based in North Korea.
The H0lyGh0st ransomware itself uses double extortion, threatening to leak sensitive exfiltrated files in ransom isn't paid. Encrypted files include most popular extensions and include media, document and archive file types, as well as databases. Once encrypted, files scrambled by the H0lyGh0st ransomware receive the ".h0lyenc" extension, replacing their original one and their original file names are swapped out with a long, random string of alphanumeric characters. This will make a file formerly named "document.txt" transform into "[alphanumeric string].h0lyenc" upon encryption.
The ransomware drops its ransom demands inside a file called "FOR_DECRYPT.html".
The full text of the ransom note is as follows:
H0lyGh0st
Please Read this text to decrypt all files encrypted.
Don't worry, you can return all of your files.
If you want to restore all of your files, Send mail to H0lyGh0st@mail2tor.com with your Id. Your ID is -
Or install tor browser and contact us with your id or company name(If all of pcs in your company are encrypted).
Our site : H0lyGh0stWebsite
Our Service
After you pay, We will send unlocker with decryption key
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increase price.
Antivirus may block our unlocker, So disable antivirus first and execute unlocker with decryption key.