HavanaCrypt Ransomware Detection: New Ransomware Family Wreaks Havoc

A new ransomware package dubbed HavanaCrypt quickly catapulted into operation earlier this summer and has already caused a fair share of trouble. HavanaCrypt is a .NET-compiled malware that uses an open-source obfuscation tool dubbed Obfuscar to facilitate code security in a .NET assembly.

The ransomware operators use Microsoft Web hosting service IP address as its C&C server to avoid detection.

Detect HavanaCrypt Ransomware

To swiftly detect this newly discovered strain of ransomware, leverage a set of recently released detection content pieces. The Sigma-based rules detect the HavanaCrypt request to the C2 server to get the secret key and encryption key and its persistence within an infected system:

HavanaCrypt Ransomware Detection

Kudos to our talented Threat Bounty Program member Wirapong Petshagun for releasing high-quality and reliable detection content pieces. The Sigma rules are aligned with the MITRE ATT&CK® framework for enhanced threat visibility.

Click the View Detections button to reach the SOC Prime’s platform hosting a comprehensive collection of detection algorithms enabling teams to continuously keep abreast of emerging ransomware threats. Non-registered users can give the platform a whirl by exploring the first-of-its-kind Threat Hunting search engine. Hit the Explore Threat Context button to learn more.

Detect & Hunt Explore Threat Context

HavanaCrypt Ransomware Description

Security researchers from Trend Micro discovered a new ransomware family named HavanaCrypt. The strain employs sophisticated anti-virtualization techniques, also having the functionality to determine whether the malicious binary was executed in a virtualized environment in a four-step verification process and terminate its processes upon a positive identification outcome. After determining that it isn’t operating in a virtual environment, HavanaCrypt downloads and runs a batch file from its C&C server from a Microsoft hosting service. The ransomware also kills about 100 system processes of desktop programs such as Microsoft Office and Steam or database-related applications like SQL and MySQL. HavanaCrypt deletes shadow copies and scans for restoring instances.

The ransomware operators do not leave a ransom note – an indicator that the newly discovered strain is still under active development.

Cybersecurity researchers and Threat Hunters looking for new ways to boost their professional skills while contributing to the collaborative expertise are welcome to join the ranks of our Threat Bounty Program. By entering this crowdsourcing initiative and sharing their Sigma and YARA rules with industry peers, cybersecurity professionals gain an opportunity to monetize their detection content while contributing to a future-proof cyber defense.