Blog maker

Watch This Unholy Threat ‘Meet His Maker’ (Video)

Video transcript

In this video, we’ll demonstrate H0lyGh0st, a ransomware strain that has been observed in the wild since around June 2021. Several variants of H0lyGh0st have been developed during this time, with each iteration becoming more functional and increasingly insidious.

In this case, we will be running the latest known variant, from April 2022, which has updated encryption functionality, as well as a method to achieve persistence. For this, we have set up a test machine with CylanceOPTICS® in “Audit-Only” mode, to allow this ransomware to run. It is important to note that H0lyGh0st must be run with administrator privileges to affect its target.

When run, it opens a command window that tries to connect to “ServerBaseURL”, and if that fails, then goes into “Intranet mode”. Right after establishing a successful connection, it displays every file copied, encrypted and renamed thereafter. It also creates a scheduled task called “lockertaskto get persistence on the victim’s machine. At the end of encryption process, it puts ransom note on desktop with further instructions. CylanceOPTICS can identify evidence of initial intranet logins, as well as remote login attempts with the credentials placed in the process.

With our root cause analysis, we can dig deeper into the specifics of this attack. We can see all the steps taken by H0lyGh0st, including the scheduled task created for persistence and “network usage” with credentials in the executable.

By taking a proactive and preventative approach to EDR, CylanceOPTICS can stop this attack before it attempts to encrypt the system or spread through the network.

Here we have a system with CylanceOPTICS, but this time with a prevention policy in place. If we try to run H0lyGh0st with administrator privileges, it is stopped before encryption. If we offer a prevention-focused endpoint protection approach, then CylancePROTECT® can prevent H0lyGh0st pre-execution, before the ransomware can act on its first instruction. Let’s copy the same set of files, all the different versions we’ve seen of this ransomware, and try to run them. CylancePROTECT stops this threat, and its variants, as early as possible in its attack chain.

Prevention is possible, with BlackBerry.