Overview of havanacrypt

Researchers at Trend Micro discovered a new ransomware family that’s being delivered as a fake Google software update – joining the list of a number of malicious campaigns distributing malware disguised as Windows 10, Google Chrome, and Microsoft Exchange updates. HavanaCrypt is a ransomware package presenting itself as a Google software update, despite it being a .NET-compiled application.  

HavanaCrypt is difficult to detect because after the ransomware executes, it hides its window by using the ShowWindow function in the system, which gives it a parameter of 0. Also, the ransomware has multiple anti-virtualization check capabilities, as well as a command-and-control server using a Microsoft web hosting service IP address. According to Trend Micro, the ransomware has four stages of checking to see if infected machines are running in a virtualized environment. 

  • Stage 1- Checks for services used by virtual machines (VMWare Tools and vmmouse)  
  • Stage 2 – Checks for files related to virtual machine applications 
  • Stage 3 – Checks for file names used by virtual machines for their executables 
  • Stage 4 – Checks machine’s MAC address and compares it to organizationally unique identifier prefixes that are generally used by virtual machines 

Trend Micro also stated that once it’s verified that a victim’s machine is not running in virtual machine, the ransomware downloads a file named “2.txt” from the previously mentioned Microsoft web hosting service IP address. It then saves it as a batch (.bat) file name that has between 20 and 25 random characters.  

The batch file contains commands which are used to configure Windows Defender scan preferences to allow detected threats in the “%Windows%” and “%User%” directories. Additionally, before generating a unique identifier based on compromised devices’ system information, the ransomware deploys executable copies as hidden system files in two folders.  

Currently, HavanaCrypt deletes backups and interrupts the functions for restoration. It also uses the KeePass password manger code for encryption and uses the QueueUserWorkItem function to speed up the process. To complicate the development of a tool to decrypt data, code from KeePass is used to generate pseudo-random encryption keys. 

Although a text file containing the encrypted files is created and encrypted by HavanaCrypt, it doesn’t drop a ransom note. This is an indication that the ransomware may still be in its development phase. Although HavanaCrypt may still be in development, its recommended that cyber security analysts and engineers detect and block the ransomware before it evolves.  


How Avertium is Protecting Our Customers:

  • Expanding endpoints, cloud computing environments, and accelerated digital transformation have decimated the perimeter in an ever-expanding attack surface. Avertium’s offers Attack Surface Management, so you’ll have no more blind spots, weak links, or fire drills. 
  • Avertium recommends utilizing our service for DFIR (Digital Forensics and Incident Response) to help you rapidly assess, contain, eradicate, and recover from a security incident like a malware attack. 
  • Fusion MXDR is the first MDR offering that fuses together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is great than the sum of its parts.  
  •  Avertium offers VMaaS to provide a deeper understanding and control over organizational information security risks.  If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.  
  • Avertium offers Zero Trust Architecture, like AppGate, to stop malware lateral movement.  




Avertium's recommendations

  • Only download software updates from verified sources. Pop-up adds saying your browser is out od date can be malicious.  
  • Early detection is important for ransomware disguised as updates. If alerts for either the initial download/execute or the 2.tx download/execute are generated, it can help mitigate and contain the malware. 
  • Backups are important but caution should be used with on premise backups. Those backups could be targeted by malware, as seen with HavanCrypt.  



  • aa75211344aa7f86d7d0fad87868e36b33db1c46958b5aa8f26abefbad30ba17 
  • b37761715d5a2405a3fa75abccaf6bb15b7298673aaad91a158725be3c518a87 
  • bf58fe4f2c96061b8b01e0f077e0e891871ff22cf2bc4972adfa51b098abb8e0 
  • d388ed2139d0703b7c2a810b09e513652eb9402c92304addd34679e21a826537 
  • d8045c7174c2649e96e68a01a5d77f7dec4846ebebb7ed04fa8b1325c14d84b0 
  • hava.info 



Supporting documentation

HavanaCrypt ransomware sails in as a fake Google update • The Register 

Google Software Update spoofed by new HavanaCrypt ransomware (scmagazine.com) 

Brand-New HavanaCrypt Ransomware Poses as Google Software Update App Uses Microsoft Hosting Service IP Address as C&C Server (trendmicro.com) 

Fake Google Software Updates Spread New Ransomware (darkreading.com) 

Attackers Distribute HavanaCrypt Ransomware Disguised As Updates From Google - Tech News Space 





Related Reading: Flash Notice: Zero-Day Google Chrome Type Confusion Vulnerability


Contact us for more information about Avertium’s managed security service capabilities. 

Chat With One of Our Experts

ransomware Flash Notice Ransomware gang Google Update Google HavanaCrypt Blog