VeraCrypt
VeraCrypt is a legitimate disk encryption utility that has been abused by the Iranian MOIS-affiliated threat actor VOID MANTICORE, also tracked as Red Sandstorm and Banished Kitten, including under the Handala Hack and Homeland Justice personas, during destructive intrusion operations. In the cited activity, the tool was downloaded directly from the official VeraCrypt website, in some cases through the victim’s own browser, and used to encrypt system drives or lock drives to inhibit recovery. Reporting describes its use as one component of a broader multi-layered destructive playbook alongside custom Handala Wiper/handala.exe with MBR-based wiping, an AI-assisted PowerShell wiper that deletes user directories and drops handala.gif, and manual deletion of virtual machines and files. The observed targeting associated with these operations included organizations in Israel, Albania, and the United States, including a U.S. medical technology firm. No VeraCrypt-specific indicators of compromise beyond its observed abuse for drive encryption are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
VOID MANTICORE had utilized VeraCrypt a legitimate disk encrypting utility that was downloaded directly from the website.
The group also downloads VeraCrypt, a legitimate encryption utility, directly through the victim’s own browser to lock drives and prevent data recovery.
Techniques & procedures
3 distinct techniques documented for this family, organized by ATT&CK tactic.
Lateral Movement
1 techniqueHandala is known to operate primarily in a manual, hands-on manner, with lateral movement conducted largely through extensive use of RDP to move between systems within a compromised environment.
Command and Control
1 techniqueVOID MANTICORE has deployed additional payloads from dedicated C2 servers. VOID MANTICORE had utilized VeraCrypt a legitimate disk encrypting utility that was downloaded directly from the website. During HomeLand Justice, threat actors used web shells to download files to compromised infrastructure.
Impact
1 techniqueDuring impact, Void Manticore combines multiple destructive methods: ... use of VeraCrypt to encrypt system drives ...
IOCs tracked for this family
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Legitimate disk encryption utility abused by the threat actor to encrypt system drives and hinder recovery.
A legitimate disk encryption utility abused by the threat actor to lock drives and hinder recovery during destructive attacks.
Disk encryption software abused by Void Manticore to encrypt system drives during destructive operations.
Legitimate disk encryption utility abused for destructive impact by encrypting system drives, complicating recovery even if wiping is incomplete.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.