Storm-0530

Storm-0530 is an intrusion set tracked by researchers at Microsoft Threat Intelligence. The group calls itself H0lyGh0st and conducts ransomware attacks for financial gain on behalf of the North Korea.

The group has been observed deploying a ransomware payload which encrypts files and appends the '.h0lyenc' file extension. Victim communication is then conducted through a .onion Tor site with threats to leak exfiltrated data as well as requiring payment to decrypt files.

Microsoft suggest the group is distinct from but affiliated with Onyx Sleet (also known as Andariel / DarkSeoul).

learn.microsoft.com

https://learn.microsoft.com/en-gb/defender-xdr/microsoft-threat-actor-naming

www.microsoft.com

https://www.microsoft.com/en-us/security/blog/2024/07/25/onyx-sleet-uses-array-of-malware-to-gather-intelligence-for-north-korea/

www.microsoft.com

https://www.microsoft.com/en-us/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/