Malicious actors are spoofing Google Software Update to deliver HavanaCrypt, a new ransomware family. In addition to evading detection, this nascent threat already incorporates many features.
Abilities to deflect detection
Ransomware that comes in the form of legitimate applications continues to swarm the web. After Windows 10, Google Chrome and Microsoft Exchange, new ransomware family dubbed HavanaCrypt spoofs Google Updates.
According to the researchers, the threat that does not deposit no ransom note yet is still probably in development. It must nevertheless be detected and blocked urgently before it evolves further. The update is downloaded automatically with the Google apps like Chrome browser or Google Earth for PC.
HavanaCrypt’s documentation further reveals that the ransomware uses a Microsoft web hosting service IP address as a command-and-control server. This allows him to bypass detection. Threat actors also use Obfuscar, a open-source obfuscation tool.
The researchers add, “The malware also has several anti-virtualization techniques that help it avoid dynamic scanning when running in a virtual machine.” They add: “If the ransomware detects that the system is running in a running VM environment, it will automatically shut down.”
Overview of the encryption system
HavanaCrypt copies itself to the ProgramData and Startup folders as random filenames with attributes set to “Hidden”. The encryption routine uses a random key generator apparently taken from the KeePass Password Safe open source repository.
The ransomware encrypts files by appending a .Havana extension. The researchers point out that HavanaCrypt avoids encrypting files with certain extensions, including those that already have a malicious extension.
It is quite possible that the ransomware author is planning to communicate via the Tor browser. Tor files are indeed among those spared from encryption according to researchers.
Protect yourself from ransomaware. Install high-performance protection software chosen from our top best antivirus.