HavanaCrypt, the ransomware that disguises itself as Google Maj

The HavanaCrypt ransomware has data exfiltration capabilities and does everything possible to evade scans. It has the particularity of impersonating a Google update.

A new strain of this ransomware has been around for two months. Dubbed HavanaCrypt by Cybereason researchers, the malware masquerades as a software update app from Google and reuses an open-source password management library for encryption. HavanaCrypt features anti-analysis, data exfiltration, and privilege escalation mechanisms, but does not appear to drop a traditional ransom note.

Deployment of HavanaCrypt

At this time, the researchers do not have much information about the initial access vector, as the sample they analyzed was obtained from VirusTotal, an online file analysis service, where it was probably downloaded by a victim. What is clear is that the malicious executable’s metadata has been changed to indicate that the publisher is Google and the name of the application is Google Software Update. Upon execution, the ransomware creates an autorun registry entry called GoogleUpdate. Based on this information, it can be assumed that the bait used to distribute the ransomware, either via email or the web, is centered around a fake software update.

HavanaCrypt is written in the .NET language and uses an open source obfuscator called Obfuscar to hide function names and other details, making reverse engineering more difficult. Additionally, the authors also used their own code functions to hide the strings in the binary. Additionally, the malware checks the system for processes typically associated with virtual machine applications and, if found, it checks the network adapter’s MAC addresses to see if they match known virtual adapters. These checks are intended to block scanning, which often involves running suspicious binaries inside virtual machines (VMs).

Different masking techniques

Ransomware also contains a mechanism that attempts to evade scanning via debuggers. All of these clues show that the creators of HavanaCrypt have put a lot of effort into making static and automatic analysis more difficult. If any of these checks fail, the program stops running. If the checks are positive, the ransomware downloads a .txt file from an IP address associated with Microsoft web hosting services. This file is just a script that adds certain directories to Windows Defender’s exclusion list.

Next, the ransomware seeks to eliminate a series of processes that might be running on the system. These processes are associated with popular applications, such as Microsoft Word, email clients, database servers, VMs, and data synchronization agents. The goal is to remove the file system locks set by these programs so that their files can be encrypted. The ransomware also deletes all restore points and copies of the Volume Shadow copy service (VSS) to prevent easy file restoration. HavanaCrypt copies itself to the StartUp and ProgramData folders using a randomly generated 10-character name. The file is then set as “System File” and “Hidden” to prevent easy discovery, because by default Windows does not show these files in its File Explorer.

Encryption by HavanaCrypt

The ransomware then collects information about the infected machine, which is then sent to a command and control (C2) server, which assigns it a unique ID token and generates the unique keys used for encryption. The encryption routine itself is carried out using a library associated with the open source password manager KeePass. Choosing to use a proven library rather than implementing their own encryption routine allows the creators of HavanaCrypt to avoid making major mistakes that might later lead researchers to create a free decryptor. The malware browses all files, directories, drives and disks present on the system and appends .Havana extension to all encrypted files. Nevertheless, there is an exclusion list of folders and file extensions to keep the system functional. Interestingly, even though the ransomware does not appear to file a traditional ransom note, the Tor Browser folder is present in the encryption exclusion list, suggesting that attackers could be using Tor for exfiltration data or communications C2.

Leave a Comment