A new ransomware family dubbed ‘HavanaCrypt’ disguises itself as a Google software update app, using a Microsoft web hosting service IP address as its command and control server to circumvent detection.
Detailed by security researchers at Trend Micro in a report, the ransomware is the latest in a series of malware that poses as a legitimate application. This year alone has seen ransomware masquerading as Windows 10, Google Chrome and Microsoft Exchange updates.
The HavanaCrypt ransomware family detailed by Trend Micro is similar in its aims: “It disguises itself as a Google software update application and uses a Microsoft web hosting service IP address as its command and control server to circumvent detection,” Trend Micro said in a blog.
The malware can check if it is operating in a virtualized environment and will terminate itself if that is the case. Trend Micro described how it needed to use tools such as de4dot and DeObfuscar to analyze the sample and generate the deobfuscated code.
Trend Micro’s investigation showed how the ransomware uses the QueueUserWorkItem function, a .NET System.Threading namespace method to speed up encryption, as well as the modules of open-source password manager KeePass Password Safe during its file encryption routine.
HavanaCrypt avoids encrypting files in several directories, including Tor. Taking this into account, it is “highly possible” that the ransomware’s author is planning to communicate via the Tor browser, Trend Micro researchers said.
In addition, the researchers pointed out that HavanaCrypt does not drop a ransom note. “This might be an indication that HavanaCrypt is still in its development phase,” they said. “Nevertheless, it is important to detect and block it before it evolves further and does even more damage.”
“Ransomware groups are turning up pressure on their victims,” said Bharat Mistry, technical director at Trend Micro. “The level of sophistication used by criminal gangs is exponentially increasing and simply relying on user awareness training and endpoint defenses is no longer enough.”
Yet while this is a new type of ransomware, it is delivered through traditional social engineering techniques, said Javvad Malik, lead security awareness advocate at KnowBe4. “It’s important for people to be mindful of what software they download and the source. When in doubt, updates should be left to either the IT team to administer or downloaded through the official channels.”