Security researchers detect new ransomware named HavanaCrypt posed as fake Google Software Update
Trend Micro Inc. is a Japanese multinational cyber security company that has allegedly identified a new ransomware family that can pose as a fake Google Software Update application. Security researchers at Trend Micro termed the ransomware as HavanaCrypt can efficiently perform anti-visualization checks in order to avoid being detected and uses a Microsoft web hosting service IP address for performing a command and control (C&C) server to control the device sending commands remotely.
Security researchers say that the HavanaCrypt ransomware performs a namespace method function in order to identify names of types, functions, and variables of the device to employ open-source password management during encryption. The ransomware uses the obfuscar open-source obuscator to protect the compiled data in .NET and make it obscure. Then it turns on the AutoRun registry for Google Update entry. After that, it initiates its anti-visualization routine first by checking services available for the device, and then it checks related files of applications on the device.
A malware downloads a file name “2.txt” from a Microsoft web hosting service IP address and saves it as .bat file to be executed. The .bat or batch file prevents the malware from being identified by Windows Defender. After it has gained access to the user device it terminates a series of the running processes, deletes all shadow copies, and disables the Task Manager.
HavanaCrypt generates a unique identifier (UID) based on the system’s processor cores and ID, processor name, socket, motherboard manufacturer name, BIOS version, and product number.
The ransomware uses a KeePass Password for generating free, safe, and open-source passwords to perform encryption. The malware then generates a text file that shows logs of encrypted files. However, the malware does not process any ransom note.
According to Trend Micro researcher “HavanaCrypt is still in its developmental phase” and it is important for the cyber security companies to delete and block it before it evolves by collecting data and infecting more devices.
