North Korea emerges as a threat cluster to target Small to Medium organisations with a strand of ransomware called H0lyGh0st. This strand has seen a large increase in infection since September 2021.
The group uses known vulnerabilities within organisations to execute remote code and allow lateral movement and the ability to pull down payloads to run the ransomware. Once the ransomware is running, the files and folders become encrypted and unusable. A ransom is then requested, which can vary around 1.2 and 5 BTC.
The group will also exfiltrate data which will be dols on the dark web if the victim does not pay the ransom. This group has become more apparent since the rise of ransomware attacks and groups even after the COTI halted operations after their large leak.
Some of the current large-scale ransomware groups consist of LockBit, Hive, Lilith, RedAlert and 0mega.