New Ransomware HavanaCrypt Disguises Itself as Google Update

A new strain of ransomware is causing people to lose their files for the past two months. It poses as a Google software updater and uses an open-source password management library. The newest ransomware, HavanaCrypt, has anti-scanning and data exfiltration but doesn’t launch a typical ransom note.

How HavanaCrypt Work?

HavanaCrypt was created with the .NET programming language and an open-sourced binary obfuscator to prevent code from being reverse-engineered.

The researchers have little information about the initial access vector because the sample they analyzed was obtained from VirusTotal, a web-based file scanning service.

The malware publisher apparently modified the malicious executable’s metadata to list Google as the publisher and application name. When triggered, it will create an autorun registry entry called Google Update. Based on the information, it may be assumed that the ransomware was distributed through fake software updates.

The malware looks for processes that are typically used for virtual machine applications. If it finds any, it checks the network card’s MAC address to see if they match known virtual adapters. These checks try to block suspicious programs that often run within virtual machines. It also contains a mechanism to evade parsing through debuggers.

HavanaCrypt static and automated analysis is complex. If any of these checks fail, the program will stop running. If the files pass, it will download a text file from an IP address associated with Microsoft web hosting services. This text actually contains a script to add directories to the Windows Defender scanning exclusion list. Windows Defender will try to close all running processes associated with popular programs. These programs may include Microsoft Word, email clients, data servers, virtual machines, or data synchronization programs. One must remove the lock set by these programs to prevent the file from being encrypted and restored.

HavanaCrypt copies itself to the StartUp and ProgramData folders using a randomly generated 10-character name and then sets it as “System File” and “Hidden” to prevent it from being easily discovered by default Windows will not show these files in your file explorer.

How HavanaCrypt encryption work?

The ransomware tells the C2 server what the infected machine is, then assigns it a unique identification and generates a unique set of keys for encryption. The encryption routine is achieved using a library associated with KeePass, an open-source password manager. Using a well-tested library instead of implementing an encryption routine can also avoid major vulnerabilities that can be cracked later. This is why HavanaCrypt uses the Rijndael encryption algorithm, one of the industry’s most tested algorithms.

The malware will go through the system, looking for files and encrypting them. Files in the exclusion list won’t be hacked and encrypted. The criminals don’t “drop” a traditional ransom note, but they do have a Tor Browser folder in their exclusion list – which suggests that data fusion or Command and Control Communications may be used.