Havoc Ransomware
Posted: January 17, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Threat Level: | 10/10 |
|---|---|
| Infected PCs: | 98 |
| First Seen: | January 17, 2017 |
|---|---|
| OS(es) Affected: | Windows |
The Havoc Ransomware is a Trojan that encrypts your files, uploads the decryption key to an external server, and sells access to the decryption process to its victims. Since encryption can damage your local files permanently, keeping a non-local backup is paramount to preventing this Trojan's payload from causing any harm that you can't reverse. Malware experts also encourage using dedicated anti-malware products for blocking the Havoc Ransomware before its attacks or deleting the Havoc Ransomware after them.
A Royal Tithing of Your Files
A threat actor self-describing himself as 'BinaryEmperor' is initiating a new file-encrypting Trojan campaign centering around the Havoc Ransomware, a threat that locks your files as a preliminary to ransoming them. Typically, it's unusual for threat actors to give themselves any identifying titles in their extortion messages. However, the Havoc Ransomware takes other steps to protect its author's anonymity and conducts what malware experts are rating as a relatively ordinary campaign.
The Havoc Ransomware encrypts files through an algorithm still under investigation, with the AES being the most common method in use, although others, such as XOR and Blowfish, are favorable in some niche Trojan families. Any files that the Havoc Ransomware encrypts and blocks from opening also acquire '.HavocCrypt' extensions for the victim's visual identification. It uploads the decryption key for restoring your data to a C&C server, giving the threat actor complete control over it. The Trojan also creates a custom ID that plays a part in the ransoming message the Havoc Ransomware displays afterward.
The pop-up that the Havoc Ransomware launches after that gives the victim a two-day countdown to make a 150 USD transfer in the Bitcoin cryptocurrency and buy the decryption service from its author. However, since the victim must make the transfer before contacting the threat actor's e-mail for help, there are no guarantees of real decrypting help being forthcoming. The Havoc Ransomware's message also threatens to delete the key in the event of any actions taken to protect the computer or disable the Trojan. Malware experts often see similar threats in other campaigns, although the act is rarely automated and often is a bluff to keep the Trojan online.
Refusing a Self-Crowned Emperor's Levy
While the Havoc Ransomware's messages claim that the Trojan is in 'MK II' of its version updates, malware researchers have yet to find any 'MK I' versions of the Havoc Ransomware or other, previous cases of this Trojan in deployment. Early versions of the Havoc Ransomware may be on the threat actor's testing environments, or the version number could be a bluff meant to make the threat look more sophisticated than its actual history would indicate.
Threat actors use Bitcoin as a preferred payment option to stop victims from retrieving their money if the decryption help either is nonexistent or malfunctions. While malware researchers see no current decryption solutions for the Havoc Ransomware, victims can upload appropriate samples to cyber security resources for analysis and expedite the development of such tools. For complete recovery of your locked files, use backups whenever possible.
Many anti-malware programs prove adequate at detecting and deleting the Havoc Ransomware heuristically, and the Trojan has no exception self-defensive characteristics. As is all too often the case, the Havoc Ransomware is reliant on victims being too afraid to take the only actions capable of saving their PCs due to the potential risk of losing any content that they didn't care enough to backup in the first place.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.