We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Ransom:Win32/SiennaBlue.B!dha
Aliases: No associated aliases
Summary
Microsoft Defender Antivirus detects and removes this threat.
This ransomware variant is a H0lyGh0st ransomware loader that has been developed and used by DEV-0530 in multiple campaigns. It is classified under the extension – HolyRS.exe, HolyLocker.exe, and BTLC.exe. It is written in the Go programming language and all the ransomware in the SiennaBlue family share the same Go functions. A deeper look into the Go functions used in the SiennaBlue ransomware showed that over time, the core functionality expanded to include features like various encryption options, string obfuscation, public key management, and support for the internet and intranet.
Microsoft has implemented protections to detect these malware families as SiennaPurple and SiennaBlue (e.g., Trojan:Win32/SiennaPurple.A) via Microsoft Defender Antivirus and Microsoft Defender for Endpoint, wherever these are deployed on-premises and in cloud environments.
Microsoft encourages all organizations to proactively implement and frequently validate a data backup and restore plan as part of broader protection against ransomware and extortion threats.
The techniques used by DEV-0530 in H0lyGh0st activity can be mitigated by adopting the security considerations provided below:
- Use the included IOCs to investigate whether they exist in your environment and assess for potential intrusion.