A new ransomware family dubbed “HavanaCrypt” disguises itself as Google’s software update application, using a Microsoft web hosting service IP address as a command-and-control server to circumvent detection.
Detailed by Trend Micro security researchers in a report, the ransomware is the latest in a series of malware that poses as a legitimate application. This year alone, ransomware has impersonated Windows 10, Google Chrome, and Microsoft Exchange updates.
The HavanaCrypt ransomware family detailed by Trend Micro has similar goals: “It disguises itself as a software update application from Google and uses a Microsoft web hosting service IP address as a command-and-control server to bypass detection. “Trend Micro said in a blog post. .
The malware can check if it is running in a virtualized environment and will terminate itself if so. Trend Micro described the need to use tools such as de4dot and DeObfuscar to analyze the sample and generate the deobfuscated code.
Trend Micro’s investigation showed how the ransomware uses the QueueUserWorkItem function, a .NET System.Threading namespace method to speed up encryption, as well as open-source password manager modules KeePass Password Safe during its file encryption routine.
HavanaCrypt avoids encrypting files in several directories, including Tor. Given this, it’s “strongly possible” that the ransomware author is planning to communicate through the Tor browser, the Trend Micro researchers said.
Moreover, researchers pointed out that HavanaCrypt does not drop any ransom note. “This could be an indication that HavanaCrypt is still in its development phase,” they said. “Nevertheless, it is important to detect it and block it before it evolves further and does even more damage.”
“Ransomware groups are increasing the pressure on their victims,” said Bharat Mistry, CTO at Trend Micro. “The level of sophistication used by criminal gangs is increasing exponentially and it is no longer sufficient to simply rely on user awareness training and endpoint defenses.”
Yet, despite being a new type of ransomware, it is distributed via traditional social engineering techniques, said Javvad Malik, senior security awareness advocate at KnowBe4. “It’s important that people are aware of the software they download and the source. If in doubt, updates should be left to the IT team to be administered or downloaded through official channels.