Researchers at Trend Micro discovered a new ransomware family that’s being delivered as a fake Google software update – joining the list of a number of malicious campaigns distributing malware disguised as Windows 10, Google Chrome, and Microsoft Exchange updates. HavanaCrypt is a ransomware package presenting itself as a Google software update, despite it being a .NET-compiled application.
HavanaCrypt is difficult to detect because after the ransomware executes, it hides its window by using the ShowWindow function in the system, which gives it a parameter of 0. Also, the ransomware has multiple anti-virtualization check capabilities, as well as a command-and-control server using a Microsoft web hosting service IP address. According to Trend Micro, the ransomware has four stages of checking to see if infected machines are running in a virtualized environment.
Trend Micro also stated that once it’s verified that a victim’s machine is not running in virtual machine, the ransomware downloads a file named “2.txt” from the previously mentioned Microsoft web hosting service IP address. It then saves it as a batch (.bat) file name that has between 20 and 25 random characters.
The batch file contains commands which are used to configure Windows Defender scan preferences to allow detected threats in the “%Windows%” and “%User%” directories. Additionally, before generating a unique identifier based on compromised devices’ system information, the ransomware deploys executable copies as hidden system files in two folders.
Currently, HavanaCrypt deletes backups and interrupts the functions for restoration. It also uses the KeePass password manger code for encryption and uses the QueueUserWorkItem function to speed up the process. To complicate the development of a tool to decrypt data, code from KeePass is used to generate pseudo-random encryption keys.
Although a text file containing the encrypted files is created and encrypted by HavanaCrypt, it doesn’t drop a ransom note. This is an indication that the ransomware may still be in its development phase. Although HavanaCrypt may still be in development, its recommended that cyber security analysts and engineers detect and block the ransomware before it evolves.
Related Reading: Flash Notice: Zero-Day Google Chrome Type Confusion Vulnerability