Microsoft attributed H0lyGh0st ransomware activity to DEV-0530, a North Korea-origin threat cluster later tracked as Storm-0530, and observed compromises of small and midsize businesses in multiple countries from at least September 2021. The group encrypted Windows systems, used the .h0lyenc extension, demanded Bitcoin payments, and threatened to publish or share victim data if ransoms were not paid. Microsoft assessed likely overlap with the North Korea-based PLUTONIUM group, also known as DarkSeoul or Andariel, based on shared infrastructure, communications between known accounts, and DEV-0530 use of tools created exclusively by PLUTONIUM. The ransomware families SiennaPurple and SiennaBlue included variants such as BTLC_C.exe, HolyRS.exe, HolyLock.exe, and BLTC.exe, with common C2 infrastructure and HTTP beacon patterns including access.php?order=AccessRequest&cmn. The activity matters because it links North Korea-origin operators to financially motivated ransomware tradecraft while distinguishing DEV-0530 from PLUTONIUM in tempo, targeting, and tooling.