HomeWinBuzzer NewsMicrosoft Uncovers North Korean Group Behind FakePenny Ransomware

Microsoft Uncovers North Korean Group Behind FakePenny Ransomware

Microsoft's assessment indicates that the primary motivation behind these ransomware attacks is financial gain


has identified Moonstone Sleet, a North Korean group, as the entity behind the FakePenny , which has led to ransom demands totaling millions of dollars. This group, previously known as Storm-17, has been targeting a wide range of sectors, including finance, cyber espionage, software, information technology, education, and defense.

Unique Attack Methods and Custom Tools

Moonstone Sleet has developed its own infrastructure and tools, diverging from the tactics of other North Korean groups. Initially, their methods mirrored those of Diamond Sleet, another North Korean group, with extensive code reuse from Diamond Sleet's malware, such as Comebacker. Moonstone Sleet's techniques included using to distribute trojanized software. Over time, they have shifted to their own custom infrastructure and attack methods, although both groups continue to operate concurrently.

In April, Moonstone Sleet deployed a custom variant of the FakePenny ransomware, demanding $6.6 million in Bitcoin, a significant increase from previous North Korean ransomware demands of $100,000. Microsoft's analysis suggests that while financial gain is a primary motivation, the group's history of cyber espionage indicates a dual focus on revenue generation and intelligence collection.

Methods of Infiltration

The group has employed various methods to interact with potential victims. These include trojanized software like PuTTY, malicious games such as DeTankWar, npm packages, and fake companies like StarGlow Ventures and C.C. Waterfall. These fake entities have been used to engage with targets on platforms like LinkedIn, Telegram, freelancing networks, and email.

Moonstone Sleet is part of a broader pattern of North Korean cyber activities. The Lazarus Group was previously blamed for the WannaCry ransomware outbreak in May 2017, which affected hundreds of thousands of computers globally. More recently, in July 2022, Microsoft and the FBI linked North Korean to the Holy Ghost ransomware operation and the Maui ransomware attacks on healthcare organizations.

Targeting Software Developers and Aerospace Sector

Moonstone Sleet has also targeted software developers using malicious npm packages and pursued employment in software development positions at legitimate companies to gain access to organizations. The group has compromised companies in the aerospace sector, including those involved in drone technology and aircraft parts. Their tactics have evolved from those of other North Korean , indicating a possible sharing of expertise and techniques.

Moonstone Sleet and Diamond Sleet have conducted operations concurrently, using similar techniques and code. This suggests a coordinated effort within North Korean cyber operations, with different groups sharing resources and methods to achieve their objectives.

Markus Kasanmascheff
Markus Kasanmascheff
Markus is the founder of WinBuzzer and has been playing with Windows and technology for more than 25 years. He is holding a Master´s degree in International Economics and previously worked as Lead Windows Expert for Softonic.com.